Article 29: Preliminary assessment of ICT concentration risk
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
Article 29 requires entities to assess ICT concentration risk before entering contractual arrangements, including where a provider is not easily substitutable, or where multiple arrangements exist with the same or connected providers.
Chapter V, Managing of ICT third-party risk · Pillar: ICT Third-Party Risk
Key points
- Requires assessment of ICT concentration risk
- Considers substitutability of providers
- Considers multiple arrangements with connected providers
How this fits DORA
Article 29 sits within the ICT Third-Party Risk pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.
Read the official text
This is an editorial summary. Read the binding text of Article 29 in the consolidated regulation on EUR-Lex.