Skip to main content
DORA Auditor

Article 29: Preliminary assessment of ICT concentration risk

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Article 29 requires entities to assess ICT concentration risk before entering contractual arrangements, including where a provider is not easily substitutable, or where multiple arrangements exist with the same or connected providers.

Chapter V, Managing of ICT third-party risk · Pillar: ICT Third-Party Risk

Key points

  • Requires assessment of ICT concentration risk
  • Considers substitutability of providers
  • Considers multiple arrangements with connected providers

How this fits DORA

Article 29 sits within the ICT Third-Party Risk pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.

Read the official text

This is an editorial summary. Read the binding text of Article 29 in the consolidated regulation on EUR-Lex.

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex