Third-Party Concentration Risk: The DORA Problem Most Boards Still Underestimate

DORA's requirements for third-party ICT risk management are among the most demanding elements of the regulation, and among the least thoroughly addressed by boards in scope. Most organisations have approached DORA compliance through a contract review lens: updating agreements with critical ICT third-party providers to include the mandated clauses around audit rights, exit planning, and service continuity. That work is necessary. It is not sufficient. And it misses the dimension of DORA that will prove most consequential for regulated firms in the years ahead: concentration risk.

Concentration risk under DORA refers to a firm's aggregate dependence on a single third-party provider or a small number of providers for critical or important functions. The concern is not that any individual dependency is problematic — large cloud providers, core banking vendors, and market infrastructure platforms are deeply embedded in the operational fabric of financial services — but that when too many critical functions flow through too few providers, a single point of disruption can propagate across the sector rather than remaining contained within one firm.

The regulatory intent here is systemic. Regulators are not simply asking whether your third parties are managed. They are asking whether the financial system as a whole is resilient to the failure or disruption of the providers that sit at its centre. For individual firms, this creates obligations that extend well beyond vendor management: it requires boards to understand their concentration exposure, to assess whether it is acceptable, and to demonstrate that they have considered what they would do if a critical provider could no longer deliver.

Where concentration risk hides

The governance challenge of concentration risk is that it is frequently invisible at board level until it crystallises. A board may know that the organisation uses a major cloud provider for infrastructure, a global vendor for core processing, and a specialist platform for a critical workflow. What it may not know — and what DORA requires it to understand — is the aggregate picture: how many critical functions depend on each provider, what the substitutability of that provider is, and what the realistic recovery pathway would be if that provider suffered a sustained outage or withdrew from the market.

Sub-outsourcing compounds the problem. A firm may have a direct contract with a managed service provider and believe it understands its third-party dependencies. What it may not have mapped is where that managed service provider itself outsources critical components: infrastructure hosted on hyperscalers, security tooling provided by a handful of global vendors, talent concentrated in specific geographies with their own political and operational risks. DORA requires firms to understand these chains, not just the first link.

The third layer of invisibility is sector-wide concentration. A firm may have well-diversified third-party arrangements by its own assessment, while simultaneously relying on providers that serve a significant proportion of the financial sector. If those providers are subject to a simultaneous disruption, the individual firm's internal diversification is irrelevant to the systemic impact. Regulators are increasingly focused on this dimension, and the oversight frameworks being developed for Critical Third Parties under both DORA and the UK's equivalent regime reflect exactly this concern.

What boards need to ask and evidence

The board-level governance response to concentration risk under DORA has three practical components. The first is a concentration register: a mapped view of the organisation's critical and important functions, the ICT providers they depend on, and the degree of substitutability for each. This is not a document that vendor management or procurement can produce alone — it requires input from the business lines that own the critical functions and from technology teams who understand the architecture. The board should direct its existence and review it at least annually.

The second component is exit planning. DORA requires documented exit plans for all critical third-party providers, and those plans must be realistic rather than theoretical. A plan that relies on migrating a core banking platform in ninety days is not a realistic plan unless that migration has been tested or there is a credible basis for believing it is achievable. Boards should ask for the exit plan, ask what assumptions it rests on, and ask when those assumptions were last validated.

The third component is tolerance setting. Boards should have a defined position on what level of concentration is acceptable — expressed in terms of the maximum proportion of critical functions that can depend on a single provider, the minimum number of providers for specific categories of service, and the maximum acceptable recovery time in a disruption scenario. These thresholds should be set at board level, documented, and used to assess the current state against appetite. Where the current state exceeds appetite, the board should direct a remediation plan with a defined timeline.

None of this is straightforward to implement, and the operational constraints on provider diversification are real: switching costs are high, migration risk is material, and in some areas of financial services infrastructure, genuine alternatives are limited. DORA does not require firms to eliminate concentration risk. It requires them to understand it, govern it, and demonstrate that they have considered and accepted the residual exposure. The governance gap in most organisations is not the concentration itself. It is the absence of evidence that the board has engaged with it.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA, NCSC, and Lloyds of London Market Cyber Risk Committee. He advises boards and regulated firms on DORA compliance, third-party risk governance, and operational resilience frameworks.