What Does Equinix’s DORA CTPP Designation Mean for Financial Services?

Data centers have become an essential part of our everyday lives, which explains why regulators are now looking closer at how they operate.

For one thing, financial institutions are increasingly outsourcing their information and communication technology (ICT) services to third parties such as data center operators. With data centers now playing an important role in banking, insurance and financial markets, many people are paying more attention to how they support operational resilience for these key sectors. For some data center operators in Europe, this attention has already led to new regulatory requirements.

The European Union (EU) Digital Operational Resilience Act (DORA) puts critical ICT service providers servicing financial institutions on center stage. Using a stringent set of qualitative and quantitative criteria and based on data provided by financial entities operating in the EU, the European Supervisory Authorities (ESAs) have identified a small number of digital infrastructure providers, including Equinix, as critical ICT third-party providers (CTPPs) for financial institutions. These CTPPs are now subject to the direct regulatory scrutiny of the ESAs, just like the banks, insurers and financial markets they serve.

For those of us who have been in the data center industry long enough, this shift was inevitable. We expected it, because we knew that our important role in the financial industry would eventually bring us under the same scope of regulation as our financial customers. We welcome it, because regulation creates accountability, and accountability is something we can demonstrate. And we’re prepared for it, because the work we’ve been doing for years on resilience, security and transparency is precisely what regulators are now asking to see.

What does this mean for financial institutions navigating DORA compliance today?

In November 2025, our designation as a CTPP under DORA was announced in recognition of the importance of the financial workloads hosted at our data centers and the critical role we play in enabling the stability and integrity of financial services in the EU. Equinix is only one of the 19 CTPPs designated under DORA thus far.

Equinix is on this list because our financial services customers identify us as providing services that support critical and important functions of their operations in the EU. Being under the direct oversight of the ESAs as a CTPP means that Equinix’s operations in the EU are subject to strict scrutiny and continuous monitoring to ensure that our rules, procedures, mechanisms and arrangements are comprehensive, sound and effective, allowing us to operate in a secure and resilient manner and not pose any substantial risks to the stability and integrity of the financial sector in the EU.

It’s important to understand what the CTPP designation really means. The designation itself does not mean that we’re DORA compliant from Day 1 of being designated. What it does mean is that we’re now under the direct scrutiny and oversight of the same regulatory bodies and the same regulatory baseline and governing framework that apply to our financial customers. Financial services institutions are ultimately responsible for their own DORA compliance, and DORA requires the financial services institutions to assess the operational and cyber resilience frameworks we have that may help with their own compliance efforts.

We fully appreciate that most of our financial customers operating in the EU are required to comply with DORA. When a financial customer chooses to deploy with us, they’re choosing a critical ICT provider that’s facing the same scrutiny from the ESAs as they are themselves. As their partner, we:

• Must meet strict standards of physical and information security, availability and continuity, cybersecurity, business continuity planning and disaster recovery
• Provide transparency into our own operational resilience
• Recognize the significant opportunity, value and impact our DORA compliance could have on the effective management of third-party ICT risks for our financial customers in the EU

How Equinix is working with the financial regulators today

Per the ESAs’ DORA Oversight Guide[1] published in July 2025, the direct oversight activities include:

• Designation (completed)
• Risk assessment and planning
• Examination activities
• Recommendations and follow-up

These activities are to be carried out according to the ESA’s annual oversight plan for Equinix in 2026.

Equinix’s CTPP designation signifies the fact that we’re a foundational element in the EU’s operational resilience framework. It also shows that we’re doing the work required to support our customers on their own DORA compliance journeys. It’s a responsibility that we fully embrace, and we look forward to developing our partnership with the ESAs over the coming years.

Managing compliance in hybrid multicloud environments

Financial institutions must balance their DORA requirements against the infrastructure requirements for their critical workloads such as AI. To get the best results for these workloads, they may be heavily reliant on a particular public cloud provider. Or, they may need a hybrid multicloud environment to capitalize on services from different clouds. This fact can further complicate their compliance efforts.

According to Equinix’s research on financial services, 64% of enterprise IT leaders said that it’s difficult to maintain consistent security policies across multiple clouds.

Against this backdrop, it’s especially valuable for financial institutions to work with a vendor-neutral provider like Equinix, which is both a designated CTPP and a long-standing partner to our other customers, some of whom are designated CTPPs themselves.

What DORA can teach us about the future of data center regulation

The impact of DORA will reverberate far beyond Europe’s borders:

• Operational resilience, cybersecurity accountability and third-party risk management are essential everywhere financial transactions take place, even where regulatory frameworks don’t exist yet.
• Financial leaders should proactively focus on these principles, instead of waiting for regulators to force their hands.

Looking toward the future, regulators in other jurisdictions are already drawing inspiration from DORA. They view it as a valuable framework for protecting their own citizens and ensuring those citizens can execute critical financial transactions within their borders.

The U.K. has already followed suit. Legislation passed earlier this year to establish the Critical Third Parties (CTPs) framework—a regulatory regime comparable to DORA. Hong Kong and Singapore also have similar regulations in development.

At Equinix, we believe that DORA is just the beginning of a new wave of data center regulation. We expect similar requirements in different jurisdictions and industries, and we’re working to ensure that we’re ready. We are already home to more than 1,350 financial services organizations globally, including hundreds of banks, payment companies, insurers and fintechs.

Irrespective of our DORA designation, thousands of enterprise customers across finance and other industry verticals already trust Equinix as their digital infrastructure partner. They come to Equinix because our neutral, interconnected data centers make it quick and easy to deploy in strategic locations throughout the world and then connect on demand with any of the thousands of partners and providers that make up the Equinix ecosystem. They also benefit from our built-in redundancy, which enables uptime of >99.9999%.

With today’s financial institutions balancing emerging compliance requirements against the need to support critical workloads in hybrid multicloud environments, it’s no wonder that so many financial IT leaders are changing their approach to digital infrastructure. To learn more, read the brief “Financial IT leaders are rethinking hybrid multicloud for AI privacy, security and compliance.”

This report, based on survey results from more than 1,600 enterprise IT leaders and in-depth interviews with financial services practitioners, provides valuable insights about how financial institutions are responding to their current infrastructure challenges.

[1] DORA Oversight Guide, European Insurance and Occupational Pensions Authority, July 15, 2025.