ICT Concentration Risk
ICT concentration risk is the risk that arises when a financial entity, or the sector as a whole, becomes overly dependent on a single ICT third-party provider or a small group of them. DORA Article 29 requires entities to assess this risk before and during outsourcing, particularly where substitution would be difficult.
Detailed explanation
Concentration risk has two dimensions under DORA. At the level of an individual financial entity, Article 29 requires an assessment of whether contracting a provider would create a heavy dependency on one supplier, whether multiple contracts sit with the same provider or closely linked providers, and how easily the service could be moved elsewhere. Entities must weigh the difficulty of substitution and the risks of sub-outsourcing, especially to providers based outside the EU. At the systemic level, the same dynamic is what the Oversight Framework is designed to contain: because much of the sector relies on the same handful of cloud and software providers, the failure of one could disrupt many entities at once. This is why substitutability and interconnectedness are among the criteria used to designate a critical ICT third-party provider. Managing concentration risk in practice means understanding exit strategies, maintaining a clear register of information, and avoiding lock-in where a service supports a critical or important function.
In context
This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 29.