Microsoft's Concentration Risk Framework: A Cloud Provider's Guide to DORA Art. 29 Compliance
Microsoft's Concentration Risk Framework: A Cloud Provider's Guide to DORA Art. 29 Compliance
On February 2, 2026, Microsoft published a detailed concentration risk and exit strategy framework tailored specifically for DORA-regulated financial institutions using Azure services. The framework represents the first comprehensive response from a major cloud provider to DORA's third-party risk provisions, and it deserves serious analysis — both for what it offers and for what it omits.
Microsoft's framework arrives at a critical moment. The ECB's supervisory priorities for 2026-28 explicitly target third-party concentration risk. The Gulf crisis has demonstrated that geographic concentration in cloud infrastructure can have catastrophic consequences. And the ESAs' critical third-party provider oversight framework is moving from design to implementation.
What Microsoft Published
The framework is structured around three pillars: concentration risk assessment, exit strategy design, and contractual readiness. Each pillar includes tools, templates, and guidance that financial institutions can use directly in their DORA compliance programmes.
Pillar 1: Concentration Risk Assessment
Microsoft provides a quantitative framework for assessing concentration risk across four dimensions:
| Dimension | Assessment Method | Microsoft Tool Provided |
|---|---|---|
| Provider concentration | HHI calculation across all ICT providers | Spreadsheet model with Azure-specific inputs |
| Service concentration | Criticality-weighted dependency mapping | Azure dependency visualizer |
| Geographic concentration | Regional deployment analysis | Azure region redundancy assessor |
| Substitutability assessment | Alternative provider evaluation matrix | Multi-cloud readiness scorecard |
The provider concentration methodology uses the Herfindahl-Hirschman Index (HHI) adapted for ICT service provision. Microsoft's model allows institutions to input their complete ICT provider portfolio and calculate HHI scores by service category (IaaS, PaaS, SaaS, data analytics, security), by criticality tier, and by business function.
The geographic concentration assessment maps workloads to Azure regions and identifies single points of failure at the regional level. Notably, this was published before the Gulf strikes, and the model did not explicitly include military proximity or geopolitical risk factors — an omission that now looks significant.
Pillar 2: Exit Strategy Design
The exit strategy component addresses DORA Article 28's requirement that financial entities maintain and test exit strategies for critical ICT services. Microsoft's framework includes:
Data portability procedures: Step-by-step guides for exporting data from Azure services in standard formats. This covers blob storage, SQL databases, Active Directory, and analytics datasets. Microsoft provides estimated export timelines based on data volume.
Service migration playbooks: Documented procedures for migrating specific Azure services to alternative providers (AWS, GCP) or to on-premises infrastructure. These playbooks are service-specific — migrating an Azure Kubernetes Service deployment is different from migrating Azure SQL Database.
Timeline and cost estimation: Models that estimate the time and cost of executing an exit strategy based on the institution's specific Azure deployment. Microsoft's estimates assume cooperative exit (the provider assists with migration), not adversarial exit (the provider is unavailable or uncooperative).
Pillar 3: Contractual Readiness
The contractual component maps DORA Article 30 requirements against Microsoft's standard enterprise agreement terms and identifies gaps that need to be addressed through contract amendments or side letters.
| DORA Art. 30 Requirement | Microsoft Standard Coverage | Gap / Amendment Needed |
|---|---|---|
| Service levels with quantitative targets | Azure SLA with credit-based remedies | May need enhanced reporting |
| Data location specifications | Customer can choose Azure regions | Sub-processing locations may need clarification |
| Audit and inspection rights | Microsoft provides SOC/ISO reports | Direct audit access may need side letter |
| Exit assistance obligations | Migration support available | Formalized exit assistance terms recommended |
| Sub-contracting notification | Not standard in enterprise agreement | Side letter for critical sub-processor changes |
| Data portability in accessible format | Standard export tools available | Format guarantees may need contractual backing |
Critical Evaluation: Strengths and Gaps
Strengths
Practical tooling: Unlike generic compliance guidance, Microsoft provides actual tools — spreadsheets, visualizers, scorecards — that institutions can use immediately. This reduces the translation cost between regulatory requirements and operational compliance.
Service-specific detail: The exit strategy playbooks are specific to Azure services, not generic cloud migration guides. This specificity makes them actionable for institutions with Azure deployments.
Transparent self-assessment: Microsoft's contractual readiness mapping honestly identifies gaps between its standard terms and DORA's requirements. This transparency, while commercially motivated (it positions Microsoft as DORA-friendly), provides genuine value for compliance teams.
Gaps
Self-serving bias: The framework naturally positions Azure favorably. The concentration risk assessment does not include scenarios where Azure itself is the concentration risk — it assesses concentration among providers as if Azure is one option among equals, not the dominant provider it often is.
Cooperative exit assumption: All exit strategy timelines assume that Microsoft is cooperating with the migration. The scenarios where exit is necessary because Microsoft can no longer provide services — the Gulf crisis scenario where a region is physically destroyed — are not covered.
Missing geopolitical risk: The geographic concentration assessment maps workloads to Azure regions but does not include geopolitical risk factors such as military proximity, cable route dependency, or sovereignty constraints. Post-Gulf crisis, this is a material omission.
No competitive alternative assessment: The substitutability scoring rates how easily Azure services can be replaced, but it does not compare specific alternatives. A financial institution using the framework still needs independent analysis of AWS, GCP, or on-premises alternatives.
How to Use Microsoft's Framework Within DORA Compliance
Financial institutions should treat Microsoft's framework as a useful input, not a complete solution. The following approach maximizes its value while compensating for its limitations:
Step 1: Use the Tools, Challenge the Assumptions
Microsoft's HHI calculator and geographic analysis tools are genuinely useful. Use them as starting points, but supplement with:
- Independent concentration risk assessment that treats Azure itself as a concentration factor
- Geopolitical risk overlay on the geographic analysis (military proximity, cable route dependency)
- Adversarial exit scenario analysis (provider unavailable, region destroyed)
Step 2: Test the Exit Strategy
The exit playbooks provide a starting point for exit strategy documentation. But documentation is not testing. DORA Article 28 requires not just an exit strategy but evidence that it is viable.
Financial institutions should:
- Execute at least a partial migration to an alternative environment (proof of concept, not full migration)
- Measure actual data export times against Microsoft's estimates
- Identify integration points that are Azure-specific and would require rewriting for alternative providers
- Document the RTO for exit execution and ensure it meets business requirements
Step 3: Address the Contractual Gaps
Microsoft's contractual gap analysis identifies areas where the standard enterprise agreement does not fully meet DORA's Article 30 requirements. Financial institutions should negotiate amendments for:
- Enhanced audit rights: Direct audit access (or independent third-party audit) beyond SOC/ISO reports, particularly for critical services
- Sub-contracting notification: Contractual obligation to notify the financial entity before changing sub-processors for critical services
- Data portability guarantees: Specific commitments on data format, completeness, and timeline for export
- Exit assistance SLA: Defined assistance obligations during exit, including personnel availability, knowledge transfer, and parallel running support
Step 4: Integrate with Broader Third-Party Governance
Microsoft's framework addresses Azure-specific compliance. But DORA's third-party risk framework applies to all ICT providers. Financial institutions must integrate the Microsoft-specific analysis into their broader third-party governance programme, ensuring consistent assessment standards across all providers.
The EBA and ESMA have been developing the critical third-party provider oversight framework that will apply to systemically important cloud providers. Microsoft's framework may evolve as the CTPP designation process matures and specific oversight requirements are imposed.
What This Means for the Cloud Provider Market
Microsoft's publication of a DORA-specific concentration risk framework is a competitive move. AWS and Google Cloud have not published equivalent frameworks (as of this writing), and Microsoft's first-mover advantage positions Azure as the "DORA-ready" cloud provider for European financial institutions.
The competitive dynamic is likely to produce DORA-specific tooling from all major cloud providers in 2026. This is a net positive for the financial sector — cloud providers competing to demonstrate DORA readiness raises the baseline for all institutions.
However, financial institutions should be cautious about relying exclusively on any cloud provider's self-assessment for DORA compliance. The provider's incentive is to demonstrate that using its services is DORA-compliant. The financial institution's obligation is to assess whether its specific deployment is resilient. These are related but distinct questions.
Voir aussi: Cloud Concentration Risk Under DORA | ECB Supervisory Priorities 2026-28 | Multi-AZ Assumptions Shattered
Resume en francais
Le 2 fevrier 2026, Microsoft a publie un cadre complet de risque de concentration et de strategie de sortie concu pour la conformite DORA (Art. 28-29). Le cadre s'articule autour de trois piliers : evaluation du risque de concentration (HHI, analyse geographique, score de substituabilite), conception de strategie de sortie (portabilite des donnees, playbooks de migration, modeles de cout), et preparation contractuelle (cartographie Art. 30, identification des ecarts). Les forces incluent des outils pratiques, des playbooks specifiques aux services Azure, et une analyse transparente des ecarts contractuels. Les faiblesses incluent un biais pro-Azure, l'hypothese d'une sortie cooperative uniquement, l'absence de facteurs de risque geopolitique, et l'absence d'analyse d'alternatives concurrentielles. Les institutions financieres doivent utiliser le cadre comme point de depart tout en compensant ses limites par une evaluation independante du risque de concentration, des tests de sortie en conditions reelles, des negociations contractuelles complementaires, et une integration dans la gouvernance globale des tiers.