Preliminary assessment of ICT concentration risk at entity level

Article 29 addresses one of DORA's most important concerns: the risk that concentration of ICT services among a small number of providers creates systemic vulnerabilities. If multiple financial entities depend on the same cloud provider, identity platform, or market data service, a single failure could cascade across the financial system.

Before entering into any new ICT third-party arrangement, financial entities must conduct a concentration risk assessment. This assessment must consider whether the entity already has significant dependencies on the prospective provider, how easily the services could be substituted if the provider failed or was unavailable, and what the impact would be on the entity's critical or important functions.

The assessment must also look beyond the entity's own dependencies to consider the broader market. If a particular provider is already heavily used by other financial entities in the same market segment, adding another dependency increases systemic concentration risk even if the individual entity's exposure seems manageable.

Entities must document their concentration risk assessments and factor the results into their decision-making process for new ICT third-party arrangements. Where concentration risk is identified, entities should consider mitigating measures such as multi-provider strategies, contractual protections, exit planning, and operational continuity procedures that allow for provider transitions.