Why this list?

The data controller always remains accountable for the data (e.g. employee data, customer files, patient records, etc.) should an event occur – even if they have delegated data handling, etc. to a supplier.

In the regulation, Recital 81 and article 24(1) specify that the controller may only appoint a processor/Cloud Service Provider (CSP) when it can be proven that the processor/CSP has the needed: