By now, it is widely acknowledged that the Digital Operational Resilience Act (DORA) introduces key obligations for financial entities in managing risks associated with the outsourcing of Information and Communication Technology (ICT) services. Article 29 of DORA mandates comprehensive pre-contractual assessments to ensure robust regulatory compliance, particularly in two critical areas: ICT provider concentration and outsourcing-related risks. But how are these assessments conducted?
STAY UPDATED
We’re also presenting the collaboration in video format, in case you prefer it (it will take you no more than 2 minutes to watch):
Assessment of ICT Provider Concentration
Financial entities are required to evaluate their level of dependency on ICT providers, especially those supporting critical or essential functions. This involves assessing whether a provider (or group of interconnected providers) can be readily substituted, and analyzing the costs and benefits of alternative solutions—such as diversifying with additional vendors. Such evaluations must align with the institution’s digital resilience strategy, ensuring proposed solutions are viable and in line with business objectives. Proper documentation of these assessments is essential, as it constitutes pre-established evidence in case of supervisory inquiries, under the standard of business judgment (i.e., the prudent merchant rule).
Risk Management in ICT Outsourcing: Some Practical Examples
DORA also requires entities to assess the risks arising from outsourcing, particularly in situations where an ICT provider subcontracts critical or important functions to third parties. The following elements must be considered:
Benefits and risks of subcontracting, particularly when the subcontractor is based in a third country:
Benefits:
- Reduction in operational costs by engaging ICT services in countries with lower labor costs, such as India or the Philippines.
- Access to advanced technologies or specialized expertise unavailable locally, such as in cybersecurity or artificial intelligence.
- Scalability of services to meet peak demand periods, as in cloud computing platforms managed from third countries.
Risks:
- Political or regulatory instability in the third country, which could disrupt service continuity (e.g., legislative changes in data protection laws in China).
- Divergence in data security standards, increasing the risk of data breaches.
- Language or cultural barriers hindering effective communication and contract management with the subcontractor.
Legal risks associated with provider insolvency, including applicable laws in the event of bankruptcy:
Insolvency regulations:
- In third countries, bankruptcy laws may prioritize local creditors over foreign clients, delaying or preventing recovery of digital assets (e.g., data stored on servers located in Brazil).
- Lack of alignment with EU law, such as the European Insolvency Regulation, complicating the enforcement of rights in liquidation scenarios.
Other legal risks:
- Absence of bilateral agreements guaranteeing data recovery in the event of insolvency (e.g., a provider located in a jurisdiction without treaties with the EU).
- High legal costs associated with litigation in foreign jurisdictions, such as the U.S., where bankruptcy proceedings can be complex and lengthy.
Operational restrictions, including the ability to recover data urgently or to comply with EU data protection laws:
Urgent data recovery capacity:
- Delays in data retrieval due to bandwidth limitations or infrastructure deficiencies in the third country (e.g., servers in Africa with limited connectivity).
- Dependency on manual processes by the subcontractor to restore data, leading to extended response times during crises.
Compliance with EU data protection regulations:
- Non-compliance with the General Data Protection Regulation (GDPR) by the subcontractor, such as the lack of adequate technical safeguards for personal data security.
- International data transfers without adequacy decisions or standard contractual clauses, such as with providers in jurisdictions not recognized by the EU.
Impact of complex subcontracting chains, which may hinder the monitoring of contracted functions and effective oversight by competent authorities:
Monitoring challenges:
- Loss of visibility over critical functions where an ICT provider subcontracts to multiple third parties (e.g., an EU cloud provider delegating storage to a subcontractor in Asia).
- Absence of direct audits on second-tier subcontractors, making it difficult to verify compliance with security standards.
Supervisory challenges for competent authorities:
- Difficulty tracing responsibilities within extended subcontracting chains, increasing the risk of regulatory sanctions due to insufficient oversight.
- Challenges in ensuring all subcontractors comply with DORA, particularly when they operate under more lenient regulatory frameworks.
These assessments must be rigorous, taking into account both local laws and the specific legal and operational context of third countries, especially regarding the enforceability of applicable law.

Si te ha interesado este artículo no dudes en leer:
DORA: A New Challenge for Account Information Service Providers (AISPs)
The Importance of Proactive Compliance
Compliance with DORA is not merely a regulatory obligation—it represents an opportunity to optimize ICT risk management. Financial entities must integrate these assessments into their governance frameworks, ensuring that decisions are traceable and well justified. Adequate documentation and ongoing evaluation of ICT providers will strengthen the institution’s position in audits and enhance its operational resilience.
In conclusion, a proactive and structured approach to managing ICT outsourcing risks not only ensures DORA compliance but also safeguards financial institutions from digital vulnerabilities, thereby reinforcing their competitiveness in an increasingly demanding regulatory environment.
“If you enjoyed this article, you might also find the following one interesting:
What Are ICT Services under DORA?
Contact
Don’t be left in doubt, get in touch. We’ll be happy to help and offer you solutions.

