Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 29 Preliminary assessment of ICT concentration risk at entity level


Summary What does Article 29 of the DORA regulation say?

This article extends the risk assessment obligations established in Article 28, focusing specifically on ICT concentration risk and the complexities of subcontracting chains.

It requires financial entities, when assessing a prospective ICT arrangement for critical or important functions, to consider whether that arrangement could create problematic dependencies — such as relying on a provider that cannot easily be replaced, or accumulating multiple arrangements with the same provider or closely connected providers.

The article then broadens its scope to address subcontracting scenarios, requiring financial entities to weigh the risks of further subcontracting, consider insolvency implications, and account for the additional complications that arise when providers or subcontractors are established in third countries.

Important points:

  • Assess whether a new ICT arrangement for critical or important functions would create concentration risk through non-substitutable or closely connected providers, and weigh the benefits and costs of alternative solutions.
  • Where subcontracting of critical or important functions is permitted, assess the risks of subcontracting chains — including third-country subcontractors — and consider the insolvency law provisions that would apply if the provider went bankrupt.
  • Where a provider supporting critical or important functions is established in a third country, also consider compliance with Union data protection rules and the effective enforcement of law in that country.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. When performing the identification and assessment of risks referred to in Article 28(4), point (c), financial entities shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following:

      1. contracting an ICT third-party service provider that is not easily substitutable; or

      2. having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.

    2. Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.

    1. Where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.

    2. Where contractual arrangements concern ICT services supporting critical or important functions, financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data.

    3. Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country.

    4. Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod