BaFin - Navigation & Service

Abstract representation of a complex network of interconnected white, blue, and red dots. IBEX.Media/stock.adobe.com

Erscheinung:01.08.2025 | Topic Digitalisierung, Risk management Supervisory focus: when concentrations become a risk

DORA became applicable on 17 January 2025. One of the changes it has brought about is that BaFin will now be overseeing ICT third-party service providers that the European financial industry relies on. This article outlines how the presence of such dependencies is identified and what will change for companies and supervisory authorities.

By Dr Sibel Kocatepe, BaFin IT Supervision

Companies in the financial sector are increasingly relying on IT service providers. This has several advantages. For example, financial entities benefit from the expertise of these specialised service providers and can concentrate more on their core business. A further advantage is that they can save costs. The condition is that these companies must keep an eye on regulatory compliance; the Federal Financial Supervisory Authority (BaFin) ensures that they do. BaFin does not permit an “out of sight, out of mind” approach. This is no longer enough, however. There is a twofold concentration risk on the rise, making the situation more complex and more challenging – for supervisors and financial entities alike.

Twofold concentration

IT services in particular are becoming increasingly concentrated on just a few providers. One example for this is the leading cloud hyperscalers based in the United States, which serve a large share of the German and European financial market across all sectors. A failure at such a service provider could therefore have serious consequences.

Moreover, these few service providers are usually based in third countries such as the US. This is additionally giving rise to a geographical concentration. Such a concentration can prove to be risky particularly with regard to geopolitical crises, for example in light of sanctions or in the course of trade disputes.

DORA focuses on concentration risks

BaFin has been monitoring IT service providers more closely for several years. Since 17 January 2025, the Digital Operational Resilience Act (DORA) has been intensifying this oversight in the European Economic Area at the European level. The aim is to strengthen the digital operational resilience of financial entities and thus preserve the stability of the European financial system.

Not every concentration is a risk. DORA focuses on those service providers from the information and communication technology sector (ICT third-party service providers) from whom many financial entities obtain services. If there is a possibility that this concentration on individual providers will result in a systemic risk for the financial market, BaFin will take a closer look.

Particularly interesting for the supervisors are concentrations of providers whose IT services are impossible or very difficult for other providers to supply. These service providers are then considered critical ICT third-party service providers within the meaning of DORA because a significant share of the European financial sector depends on them. In future, critical ICT third-party service providers will be subject to special oversight under the new DORA oversight framework (see Figure 1). This framework is a new approach of the European Supervisory Authorities (ESAs) for dealing with individual service providers and is intended to preserve the stability of the financial system.

Figure 1: European oversight framework under DORA

This diagram shows the supervisory structure for critical third-party ICT service providers in the financial sector. BaFin Figure 1: European oversight framework under DORA

Two-step assessment process: when is a service provider critical?

A two-step assessment process determines whether an ICT third-party service provider, based on its relevance to the system, is critical and therefore requires oversight. Quantitative and qualitative criteria are used to ascertain the importance of the ICT third-party service provider on the European financial market. The process also makes it possible to identify those ICT third-party service providers on whose services a significant share of the financial market depends.

However, some ICT third-party service providers need not undergo this process: there are special exemptions that apply to them. These service providers include financial entities that are themselves subject to financial supervision, but also intra-group service providers and service providers within a financial network, such as insurance groups and credit institutions. These service providers are not suitable for European oversight, simply because if they were to fail, only their particular group or network would be affected. They can therefore continue to be supervised on a national level by the supervisory authority that also supervises the financial entity.

Registers of information to be submitted by 11 April 2025 at the latest

To be able to identify dependencies on ICT third-party service providers, the supervisory authorities require financial entities to provide an overview of their contractual arrangements with IT service providers. In future, this overview is to be provided in the form of the register of information, which financial entities must keep and make available to the competent authority on request.

Financial entities are to submit these registers to BaFin by 11 April 2025 at the latest. The ESAs intend to publish a list of critical IT service providers in the second half of 2025.

A detailed article on the oversight framework is available here.

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field