Risk arising from dependence on a small number of or a single ICT third-party provider. DORA Art. 29 obliges financial entities to perform an explicit analysis and steering. Supervisors focus particularly on cloud hyperscalers and core banking system providers.

DORA Art. 29 requires financial entities, before contracting with an ICT third-party provider, to assess whether a concentration on a single provider or a tightly connected group of providers arises. The analysis must be documented in writing and reflected in the information register.

Dimensions: provider concentration (multiple critical functions with one provider), substitutability (realistic switch within what timeframe), sub-outsourcing chains (main and sub providers overlap), geographic concentration (multiple data centres in the same region). Practical trap: AWS Frankfurt + AWS Dublin is still AWS.

Supervisory response: in case of structural concentration risk, the national competent authority can order additional mitigation measures, demand exit plans or prohibit contracts. The Joint Examination Teams (JET) of EU supervisors for critical ICT TPPs become active 2025/2026. Concentration-risk analyses are a mandatory part of every decision memo for critical ICT contracts.

ICT Concentration Risk

Related terms