Skip to main content
DORA Auditor

ICT Concentration Risk

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

ICT concentration risk is the risk that arises when a financial entity, or the sector as a whole, becomes overly dependent on a single ICT third-party provider or a small group of them. DORA Article 29 requires entities to assess this risk before and during outsourcing, particularly where substitution would be difficult.

Detailed explanation

Concentration risk has two dimensions under DORA. At the level of an individual financial entity, Article 29 requires an assessment of whether contracting a provider would create a heavy dependency on one supplier, whether multiple contracts sit with the same provider or closely linked providers, and how easily the service could be moved elsewhere. Entities must weigh the difficulty of substitution and the risks of sub-outsourcing, especially to providers based outside the EU. At the systemic level, the same dynamic is what the Oversight Framework is designed to contain: because much of the sector relies on the same handful of cloud and software providers, the failure of one could disrupt many entities at once. This is why substitutability and interconnectedness are among the criteria used to designate a critical ICT third-party provider. Managing concentration risk in practice means understanding exit strategies, maintaining a clear register of information, and avoiding lock-in where a service supports a critical or important function.

In context

This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 29.

Related terms

Sources

  1. DORA Article 29, EUR-Lex