The application of the Digital Operational Resilience Act (DORA) marks the beginning of a new era of digital operational security in Europe’s financial industry – also in the way supervisors deal with information and communication technology (ICT) service providers. An important component of DORA is the new European oversight framework for critical third-party service providers. The focus is on ICT third-party service providers on whose services European companies in the financial market rely. The aim is to ensure the stability and integrity of the financial sector.

To put this in context: the financial sector is experiencing a clear trend towards increasing use of specialised IT service providers by financial entities. This trend existed before DORA came into force – in the form of outsourcing. Drivers for outsourcing include the centralised bundling of IT operations and related tasks, such as information risk management and information security management.

In view of the many advantages involved in outsourcing to IT service providers, outsourcing is appropriate and important from the perspective of an individual financial entity. From a supervisory perspective, however, it must be clear that the company that is outsourcing activities and processes is properly managing its outsourcing arrangements.

Concentrations on two levels

For a few years now, the financial market has seen a concentration of outsourcing by a large number of companies in the financial market to a small number of highly specialised IT service providers that are predominantly based in some individual third countries. There are therefore two levels of concentration making the topic of outsourcing more complex and challenging – for financial entities and supervisory authorities alike.

One example of such a concentration risk is that posed by the large cloud hyperscalers based in the United States: these providers serve a large share of the German and European financial market, primarily because of their cost advantage over other IT service providers, their technical expertise and their innovative strength. Moreover, other leading cloud service providers also use these large cloud hyperscalers for their IT services. This is giving rise to concentrations within the service provider sector as well.

If there were to be a serious incident at a major cloud hyperscaler, this could have serious consequences for the financial market. Since large IT service providers already set themselves high standards for reputational reasons, a serious disruption to outsourced activities or even the sudden collapse of such a service provider would likely be an exceptionally rare extreme event. Nevertheless, these twofold concentration risks and the question of how to deal with them will be key issues for the financial sector, service providers, supervisors and regulators in the coming years.

Concentrations critical if associated with dependencies

At the same time, there is not always concentration risk involved where a large number of institutions outsource activities or processes to a limited number of service providers. It actually depends on whether the service provider’s offering is so specialised that the financial entities using it rely on it for their critical or important functions.

This can be assumed if financial entities cannot (or can no longer) in fact provide the service themselves or if this does not appear to make economic sense. The result would be a dependency if switching to another service provider were not possible due to a small number of alternative service providers, or if the change of service provider – while theoretically possible – were to prove very difficult in practice or to involve significant resources.

If, however, this dependency does not exist, the mere fact that a large number of financial entities use the same service provider would not pose any risk for the financial market per se. It would be possible, in the event of a long-term disruption or failure at the service provider, for the financial entity to fully or partially resume operation of the critical or important functions itself or to migrate the functions to an alternative service provider.

Concentration risks particularly high for software

Concentration risks and dependencies, for example in the use of software, are therefore particularly apparent in the case of IT outsourcing. Software is often individually configured in such a way that alternative service providers cannot easily offer the same product. The company outsourcing specific activities and processes usually does not have such expert knowledge, either. This dependency problem is known as “vendor lock-in”.

In practice, systemically important financial entities in particular respond to this dependency risk by obtaining the same services or products from several different providers at the same time (multi-vendor strategy) – insofar as this is feasible for the providers.

Although this strategy protects against vendor lock-in, it can significantly increase costs due to the greater complexity of security management. After all, the financial entity has to monitor, train and integrate each additional IT service provider. This is not an option for every financial entity; it can quickly neutralise or even exceed the originally intended cost savings, especially for small companies.

Oversight enables risks to be managed

BaFin’s IT Supervision Directorate has been dealing with concentration risks in IT outsourcing, particularly cloud outsourcing, for several years. Its objective is to identify the risk posed by systemically important IT service providers and to control this risk adequately through oversight. The legal basis for the oversight of IT service providers at the national level has been the German Investment Firm Act (Wertpapierinstitutsgesetz – WpIG) since 26 January 2021 and the German Act to Strengthen Financial Market Integrity (Gesetz zur Stärkung der Finanzmarktintegrität – FISG) since 1 January 2022. 

For this objective to be achieved, there must be transparency concerning the interconnectedness on the financial market. BaFin receives outsourcing reports from financial entities. If particular service providers are found to be systemically important, BaFin can decide to oversee these service providers more closely. To this end, it can request documents and information directly from the service providers, carry out on-site inspections at their business premises and order measures to prevent and rectify irregularities.

Should any service providers refuse to cooperate, BaFin can enforce its orders against them by imposing a coercive fine of up to 2.5 million euros. BaFin may also impose administrative fines on such service providers. In 2025, BaFin will be intensifying its measures to oversee outsourcing providers.

DORA oversight framework: new element of EU financial market regulation

An important component of DORA is the new oversight framework for critical ICT third-party service providers. ICT third-party service providers within the meaning of DORA are companies that provide ICT services for financial entities. The oversight framework, which became applicable on 17 January 2025, is a completely new element of EU financial market regulation. Its aim is to make supervisory approaches to ICT third-party risk in the financial sector more efficient and to harmonise them. The oversight framework is also designed to strengthen the digital operational resilience of financial entities in order to preserve the stability of the EU financial system.

The overall responsibility for overseeing critical ICT third-party service providers is assumed by one of the three European Supervisory Authorities (ESAs) – EBA, ESMA or EIOPA – as “Lead Overseer”, depending on the particular sector in which the ICT third-party service provider predominantly operates (see figure). BaFin supports the three ESAs by participating in the Joint Examination Teams (JETs) for those critical ICT third-party service providers that are of systemic importance for the German financial market.

Figure 1: European oversight framework under DORA

BaFin

What are critical ICT third-party service providers?

The oversight framework focuses on ICT third-party service providers that have been designated by the ESAs as critical and therefore as requiring oversight and are thus considered systemically important for the financial market. The designation is based on qualitative and quantitative criteria.

The designation criteria under Article 31 No. 2 of DORA and the Delegated Regulation specifying the criteria are decisive. In view of the multitude of ICT services and the diversity of financial institutions, a two-step approach is applied. The aim is to determine the extent to which the ICT third-party service providers have penetrated the market and to identify those ICT third-party service providers that are most critical due to dependencies.

Two-step assessment process

An initial selection of ICT third-party service providers is carried out on the basis of the quantitative sub-criteria in step 1. These are then analysed in more detail using the qualitative sub-criteria of step 2.

The assessment is to be carried out individually for each ICT third-party service provider. If the ICT third-party service provider is part of a group, the assessment must be based on the ICT services provided by the group as a whole. These assessments are based only on those ICT services provided by the ICT third-party service provider that serve to support critical or important functions within the financial entity. Such services are to be assessed in terms of their nature and their critical character to determine whether financial entities rely on them to be able to carry out their activities without disruption.

It is irrelevant for designation purposes whether the ICT third-party service provider has a direct contractual relationship with the financial entity or is subcontracted via another ICT third-party service provider or another financial entity.

Step 1: relevance of the ICT third-party service provider for the financial market

First of all, step 1 focuses on the extent to which the ICT third-party service provider has penetrated the financial market (Article 31(2)(a) of DORA). Only a relevant level of market penetration on the part of the ICT third-party service provider gives cause to expect that a comprehensive disruption of operations at this service provider would have a systemic impact on the stability, continuity or quality of the provision of services by financial entities.

Those ICT third-party service providers that provide ICT services to support critical or important functions for at least 10 percent of the financial entities in each category of financial entities are considered critical. EU legislators have listed these categories in Article 2(1) of DORA. These are the various types of financial entities that fall within the scope of DORA, such as credit or payment institutions, investment firms, central counterparties, or insurance/reinsurance companies.

In addition, the customers of the ICT third-party service provider must be financial entities from each category whose total value of assets in relation to the total value of assets of all EU financial entities within the individual categories is at least 10 percent.

Systemic importance of customers also relevant

In addition, step 1 of the assessment should also take into account the systemic nature or significance of the financial entity. This requires a qualitative assessment of the systemic importance and interconnectedness of ICT third-party service providers and the importance of the services provided by these third-party service providers for the financial services provided by financial entities.

The assessment should also give consideration to the stability and continuity of services in order to determine the systemic impact of the ICT third-party service provider on the activities of financial entities. Important factors in this context are the type of financial entity involved and how many of these systemically important financial entities use the ICT third-party service provider. To this end, the number of global systemically important credit institutions (G-SIIs) or other systemically important credit institutions (O-SIIs) and the interdependence between these and other financial entities are to be analysed.

EU legislators consider this sub-criterion of step 1 to be met if the ICT third-party service provider counts at least the following among its customers:

• one global systemically important credit institution (G-SII);
• three other systemically important credit institutions (O-SIIs);
• one O-SII with an O-SII score above 3,000 calculated in accordance with Article 131(3) of Directive 2013/36/EU;
• one financial entity identified as systemically important by the competent authorities in the categories of central securities depositories, central counterparties, trading venues or trade repositories;
• three financial entities identified as systemically important by the competent authorities in the categories set out in Article 2(1)(b) to (f) and (k) to (t) of DORA, such as insurance companies or management companies.

Another criterion: can the ICT third-party service provider be replaced?

Another important part of step 1 is the assessment of the substitutability of the ICT third-party service provider under Article 31(2)(d) of DORA. The quantitative criterion alone does not determine whether an ICT third-party service provider requires oversight.

Even if an ICT third-party service provider were to support every European financial entity with its ICT services in the provision of critical or important functions, this would not qualify the service provider as a critical ICT third-party service provider if its ICT service could be taken over by a large number of other ICT service providers at any time and without any major difficulty.

Rather, the question is whether financial entities are dependent on this third-party ICT service provider. The first decisive factor in this respect is whether there is a lack of alternatives – due, for example, to the fact that only a few ICT third-party service providers are active on a particular market. Another criterion is the technical complexity or sophistication of the ICT service offered, particularly in light of proprietary technologies to which ICT third-party service providers have exclusive rights.

Step 2: dependence of the financial market on the third-party ICT service provider

In step 2, the ESAs continue with the process of designation for those ICT third-party service providers that meet all the sub-criteria of step 1. If in step 1 the ICT third-party service provider reaches the 10 percent thresholds with regard to its penetration of the financial market within the meaning of Article 31(2)(a) of DORA, it must be determined in step 2 to what extent the activities and business operations of the financial entities identified in step 1 and the number of these financial entities would be affected if the ICT third-party service provider were to cease to provide its ICT services.

In addition, the assessment must also address the ICT third-party service provider’s reliance on the same subcontractors that provide ICT services in support of critical or important functions of financial entities.

If the ICT third-party service provider has a large number of systemically important financial entities among its customers, the assessment is continued in step 2 – with an examination of the interdependence of the systemically important financial entities that utilise ICT services from the same ICT third-party service provider. This applies in particular if these customers provide G-SII or O-SII financial infrastructure services for other financial entities.

Activities of critical importance?

In step 2, it must also be assessed whether the ICT services provided by the ICT third-party service provider in support of critical or important functions of financial entities are critical to the activities of the financial entities. If the outcome of the assessment is positive, this sub-criterion is considered to be met.

If it is determined in step 1 that financial entities rely on this ICT third-party service provider, it must be examined in step 2 whether this reliance is extensive enough to justify overseeing the ICT third-party service provider. A relevant lack of real alternative service providers, or even partial alternatives, is to be assumed if, for at least 10 percent of the total number of financial entities in each individual category of financial entities within the meaning of Article 2(1)(a) to (t) of DORA,

• no alternative ICT third-party service provider is available with the necessary capacity to provide the same ICT services as those provided by the relevant ICT third-party service provider, or
• migrating to another ICT third-party service provider would be extremely difficult for the financial entity.

Four exemptions from the designation of critical ICT third-party service providers

Article 31(8) of DORA regulates which ICT third-party service providers are not to be included in the assessment process in the first place. First, these are financial entities that are themselves subject to financial supervision. They are not to be subject to a further oversight regime simply because they also provide ICT services for other financial entities. Second, ICT third-party service providers that are subject to the oversight framework supporting the European System of Central Banks are exempt.

The third exemption is particularly important for the German financial market. For example, it affects intra-group service providers, such as insurance groups. These service providers are not suitable for European oversight because if they were to fail, only their group would be affected. They can therefore be supervised on a national level by the supervisory authority that also supervises the financial entity.

Fourth, the exemption also applies to companies that provide ICT services to financial entities “belonging to the same institutional protection scheme” (Article 3 No 20 of DORA). Central IT service providers within a financial network in the savings bank and cooperative sector are also exempt from European oversight and will continue to be monitored on a national level. ICT third-party service providers that provide ICT services solely at the national level for financial entities operating solely at the national level are also not the focus of the ESAs: since they are not relevant for the European financial market, they will remain the focus of national supervision.

Registers of information to be submitted by 11 April 2025 at the latest

To ensure that the supervisory authorities are aware of dependencies on ICT third-party service providers and can designate critical ICT third-party service providers, all financial entities are obliged to maintain a register of information (first subparagraph of Article 28(3) of DORA). The register of information is to contain all the contractual arrangements regarding the use of ICT services provided by ICT third-party service providers and must be made available to the competent authority on request. At present, BaFin is calling on financial entities to make their first submission of registers of information to BaFin by 11 April 2025 at the latest.

The national competent authorities are to submit these registers of information by 30 April 2025 to the ESAs, who will then be able to designate the ICT third-party service providers that require oversight. This is regulated by Guideline 5.1 of the Joint Guidelines of the European Supervisory Authorities on oversight cooperation and information exchange  for the purposes of designating ICT third-party service providers.

The ESAs intend to publish a list of critical ICT third-party service providers in the second half of 2025. The high requirements described above suggest that only a small number of ICT third-party service providers operating throughout Europe will be overseen. However, ICT third-party service providers that do not meet the criteria have the option of voluntarily applying for oversight – an option they could make use of for reputational reasons.