Introduction
Most DORA compliance conversations focus on what happens after a provider is onboarded — contracts, incident reporting, audit rights. Article 29 works differently. It requires a formal concentration risk assessment before you sign the contract for any critical or important function (CIF).
That sequencing matters. Many regulated financial institutions run thorough vendor risk programs but have never done the portfolio-level dependency mapping Article 29 actually requires. The gap between "we have TPRM" and "we comply with Article 29" catches most boards off guard — and supervisors are equipped to find it.
This post is written for boards, risk committees, CISOs, and senior leaders who need to understand Article 29 operationally. Concentration risk is among the least understood obligations in DORA's Chapter V — yet the supervisory infrastructure to examine it is already active.
Here's what this post covers:
- What Article 29 actually requires (and what it doesn't)
- Why portfolio-level dependency mapping is the core obligation most firms miss
- How supervisors are already using the Register of Information to identify gaps
TL;DR
- Article 29 requires a pre-contractual concentration risk assessment for any ICT arrangement supporting a critical or important function
- Two triggers: contracting a non-substitutable provider, or accumulating multiple CIF contracts with the same or closely connected providers
- Article 29(2) covers sub-contracting chains: insolvency exposure, data recovery limits, third-country enforcement gaps, and chain complexity each require documented assessment
- The required work is portfolio-level analysis — cross-function dependency mapping, not individual vendor scoring
- The management body must receive findings; high-concentration decisions require documented board-accountable rationale
What Is ICT Concentration Risk Under DORA Article 29?
Article 29 is the obligation within DORA's Chapter V for financial entities to assess — before concluding an ICT contractual arrangement for critical or important functions — whether that arrangement would create unacceptable dependency on a single provider or group of connected providers.
The Two Triggers
Article 29(1) identifies two distinct concentration scenarios:
- Non-substitutability: Contracting an ICT third-party provider that is not easily substitutable (meaning switching to an alternative is impractical, costly, or operationally disruptive)
- Accumulated dependency: Having multiple contractual arrangements for CIF ICT services with the same provider, or with "closely connected" ICT third-party providers (such as subsidiaries or entities sharing the same parent)
Both scenarios trigger the same obligation: weigh the benefits and costs of alternative solutions, including different ICT providers, against business needs and your digital resilience strategy objectives.
Why This Is Different From Standard TPRM
Standard third-party risk management evaluates an individual vendor's risk profile : security controls, financial stability, SLA track record. Article 29 asks a fundamentally different question: what happens across multiple critical functions simultaneously if one provider fails?
An entity could have five vendors on paper, all with clean risk scorecards. If three share a parent company or run on the same cloud infrastructure, the concentration risk is real — and a traditional vendor scorecard will never surface it.
That cross-portfolio visibility is what Article 29 requires. It sits outside the scope of standard TPRM and has to be structured as a separate governance obligation.
Why the Financial Sector Needs This Assessment
The dependency problem Article 29 addresses is not hypothetical. According to the ECB's February 2024 supervisory newsletter, more than 30% of the total outsourcing budget of significant EU banks is concentrated on just ten providers, most headquartered outside the EU.
The ECB's 2025 horizontal analysis of outsourcing registers adds further texture:
- 73.7% of critical external contracts are difficult to substitute
- 17.7% are considered impossible to substitute
- 50% of total budget for critical contracts flows to the top 30 external third-party providers
These aren't abstract risk indicators. They describe the actual state of the financial sector's ICT dependency — and they point directly to the institutional failure mode Article 29 is designed to prevent.
The Systemic Problem
That concentration becomes dangerous when it goes unmapped. Without a formal assessment, a financial entity may unknowingly depend on the same cloud provider, data processor, or security platform across five separate critical functions. When that provider fails, all five functions fail simultaneously — and neither the entity nor its regulator can respond effectively because the cross-function dependency was never documented.
Article 29 also serves a purpose beyond any single institution. When dozens of financial entities all depend on the same two or three mega-providers, a single disruption creates a sector-level event.
The assessments required under Article 29 feed into the Register of Information, which supervisors use to analyze concentration at the sector level — not just at the entity level. The ESAs' designation of critical ICT third-party providers under DORA's oversight framework is built on this kind of aggregated data.
How the Article 29 Concentration Risk Assessment Works
The assessment is a preliminary process — it must occur before the contractual arrangement is concluded. Article 28(4)(c) explicitly requires financial entities to identify and assess whether a new arrangement could contribute to reinforcing ICT concentration risk as described in Article 29. That cross-reference matters: it embeds the concentration risk assessment inside pre-contractual due diligence, not as a standalone exercise.
Step 1: Map Existing ICT Dependencies Across Critical Functions
Before evaluating any new arrangement, you need a current picture of your existing CIF portfolio. That means:
- Identifying all contractual arrangements supporting critical or important functions
- Mapping which functions share the same provider — or providers that are closely connected
- Noting which providers are already flagged as difficult or impossible to substitute
The Register of Information under Article 28(3) is the required vehicle for maintaining this data. Without a current dependency map, the pre-contractual assessment for any new CIF arrangement cannot be performed accurately — you cannot assess cumulative concentration without knowing what concentration already exists.
That dependency map also needs to capture "closely connected" providers — a phrase Article 29(1)(b) uses but that no official ESA guidance has defined for parent-subsidiary, shared-infrastructure, or joint-venture scenarios. In practice, assess these relationships through common ownership, shared infrastructure, or contractual interdependencies where a disruption to one provider would simultaneously disrupt another.
Step 2: Assess Substitutability of the Proposed Provider
"Not easily substitutable" is not a binary determination. It exists on a spectrum. A documented substitutability judgment should consider:
- Market concentration of the specific ICT service (hyperscale cloud infrastructure, for example, where three providers dominate globally)
- Switching cost and operational disruption — both financial and timeline
- Data portability — whether data can be migrated within a reasonable timeframe
- Functional equivalence — whether alternatives can deliver the same capability for the specific function being supported
Supervisors will scrutinize whether this judgment was made with evidence — alternatives identified, switching costs estimated, market concentration acknowledged — or assumed. "We considered alternatives" without documentation will not hold.
Step 3: Document the Benefits-and-Costs Analysis and Management Decision
Article 29 explicitly requires financial entities to weigh costs and benefits of alternative solutions against their digital resilience strategy objectives. The output is a documented management decision that must answer:
- Who conducted the assessment and when
- What alternatives were considered
- Why the chosen arrangement is acceptable despite identified concentration risk
- What mitigating controls are in place
This document becomes part of the pre-contractual due diligence record and is subject to supervisory review.
If the management body approved a high-concentration arrangement, that approval — and its rationale — must be recorded formally. Supervisors reviewing this record will look for a clear chain from identified risk to considered alternatives to a reasoned decision, not a checkbox that says the exercise occurred.
The Sub-Contracting and Third-Country Dimension: Article 29(2)
Article 29(2) extends the concentration risk assessment downstream. Where an ICT provider for a critical or important function is permitted to sub-contract those services further, the financial entity must weigh the benefits and risks of that sub-contracting. This is the fourth-party risk dimension — and it is explicitly required, not optional.
Four Areas Article 29(2) Requires Assessment
| Risk Area | What Article 29(2) Requires |
|---|---|
| Insolvency law | Identify which insolvency law applies if the provider fails and whether data can be urgently recovered |
| Third-country enforcement | For sub-contractors outside the EU: assess compliance with Union data protection rules and effectiveness of law enforcement in that jurisdiction |
| Chain complexity | Assess whether long or complex sub-contracting chains impair your ability to monitor contracted functions and the competent authority's ability to supervise |
| Approval prerequisite | Formally weigh both sides before permitting sub-contracting arrangements |
Commission Delegated Regulation (EU) 2025/532, which took effect in July 2025, adds qualitative criteria for sub-contracting chain assessment — including the location of sub-contractors, length and complexity of the chain, and whether ICT services concentrate in a single sub-contractor. No numerical thresholds are specified; financial entities must assess qualitatively and document their findings. Two dimensions of that assessment warrant particular attention.
What Third-Country Assessment Actually Means
The third-country dimension in Article 29(2) goes beyond data residency under GDPR. It requires assessing whether courts and regulators in that jurisdiction will actually enforce contractual recovery obligations if the sub-contractor fails. A jurisdiction with uncertain enforcement creates recovery risk that cannot be contractually managed away. That risk must be weighed before the arrangement is entered, not discovered after an insolvency event.
Chain complexity creates its own category of risk. When a critical function passes through three or four layers of sub-contractors, practical monitoring at each layer becomes impossible.
DORA treats that impaired visibility as a risk in itself. The assessment must address whether the entity will retain sufficient monitoring capability regardless of how many sub-layers exist.
What This Means for Board Oversight and Governance
Article 29 creates a board-level obligation, not merely an operational one. Commission Delegated Regulation (EU) 2024/1773 requires the ICT third-party policy to define reporting lines to the management body, including the nature of information to be provided and reporting frequency — and the risk assessment that policy governs explicitly includes ICT concentration risk.
What Defensible Concentration Risk Governance Looks Like
Boards and risk committees need more than a risk team that runs the analysis. Inspectable oversight requires:
- Clear decision rights: who has authority to approve a high-concentration arrangement, and at what level does it escalate to the board versus management
- Defined escalation thresholds: documented criteria specifying when concentration exposure requires board sign-off rather than management approval
- Assessment outputs on file: a documented pre-contractual assessment for each CIF arrangement, including the alternatives considered and the rationale for proceeding
- Ongoing reporting cadence: concentration risk position reported to the board as new arrangements are added — not just a one-time gate at contract approval
- Decision logs: records of what the board approved and why, which survive leadership changes and support supervisory review
Tyson Martin works with boards and risk committees to build this kind of governance structure, translating Article 29's requirements into clear decision rights, reporting dashboards, and escalation thresholds that hold under regulatory scrutiny.
The output is inspectable and includes:
- Board minutes documenting concentration risk discussions
- A living risk register with named owners
- Recorded risk acceptances
- Concentration metrics that show trend, not point-in-time snapshots
The Exit Strategy Connection
Article 29 assessments for high-concentration arrangements must directly inform exit strategy development. If the assessment concludes that a provider is not easily substitutable, that finding must trigger a documented exit plan. Noting the risk without a response is not sufficient. Supervisors reviewing concentration risk governance will ask to see both the assessment and the corresponding exit readiness plan for any arrangement flagged as high-concentration.
Frequently Asked Questions
What exactly is ICT concentration risk under DORA Article 29?
It is the risk created when critical or important ICT functions depend excessively on a single provider or group of connected providers. Article 29 requires a formal preliminary assessment before entering arrangements that could create or increase this dependency. That assessment must happen before the contract is signed, not after.
Does Article 29 apply to all financial entities or only large institutions?
Article 29 applies to all financial entities within DORA's scope. The proportionality principle in Article 4 allows smaller entities to apply proportionate approaches, but no in-scope entity is exempt from the concentration risk assessment obligation when entering CIF arrangements.
What does "not easily substitutable" mean in practice?
It means the provider cannot be replaced within a reasonable timeframe without significant operational disruption, cost, or data portability barriers. The assessment must demonstrate this judgment with reference to actual market alternatives and estimated switching costs — and that analysis cannot simply be assumed.
How does Article 29 differ from a standard third-party risk assessment?
Standard TPRM evaluates an individual vendor's risk profile. Article 29 requires portfolio-level analysis — assessing how a proposed arrangement interacts with all existing CIF arrangements and whether the cumulative dependency creates exposure that individual vendor scores cannot detect.
What role does the management body play in Article 29 compliance?
The management body must receive concentration risk findings through the ICT third-party policy reporting structure. Decisions to proceed with high-concentration arrangements must be documented as management body-approved decisions with supporting rationale. Handling this solely at the operational level does not satisfy the requirement.
How does Article 29 address sub-contracting chains?
Article 29(2) requires assessment of sub-contracting risks: applicable insolvency law, urgent data recovery constraints, and third-country enforcement effectiveness. It also requires judgment on whether chain length or complexity impairs the entity's monitoring capability or the competent authority's ability to supervise.
