In the high-stakes world of European financial supervision, where the EU’s flagship Digital Operational Resilience Act (DORA) aims to tame the power of global tech giants, a new controversy is emerging from within one of the bloc’s key watchdogs.
A whistleblower contacted EUalive, raising serious questions about the European Insurance and Occupational Pensions Authority (EIOPA). The tip alleges that EIOPA is downplaying critical weaknesses in its own data management and IT security – weaknesses uncovered by the European Commission’s Internal Audit Service (IAS) – while simultaneously positioning itself as the enforcer of tough new rules on Critical ICT Third-Party Providers (CTPPs), including hyperscalers like Amazon Web Services, Microsoft Azure, and Google Cloud.
The story, as framed by the source, is one of transatlantic power struggles, regulatory double standards, and the risk that internal governance failures could undermine EIOPA’s authority to police some of the world’s most powerful technology companies.
What are CTPPs and why do they matter?
Under DORA (Regulation (EU) 2022/2554), the EU designated a small group of major technology, cloud, telecom, and data providers as Critical ICT Third-Party Providers (CTPPs). These entities are considered vital to the stability of the entire European financial system — banking, insurance, and securities markets alike.
On 18 November 2025, the three European Supervisory Authorities (EBA, EIOPA, and ESMA) published the first...
Read Full Story:
https://news.google.com/rss/articles/CBMi1gFBVV95cUxONXhZWE9fWk5KUTBIWWJ4YnZh...