Twenty-nine percent of major ICT incidents reported across the EU financial sector in 2025 originated from failures at third-party providers: vendors, infrastructure operators, and other financial entities in the supply chain.
For TPRM programs operating under DORA, third-party risk concentration is no longer a theoretical concern. The first annual incident data shows it as a structural feature of how the sector is built.
That data appears in the European Supervisory Authorities’ first annual report under DORA, published June 3, 2026, alongside a finding that has received considerably more attention: two-thirds of the 3,383 major incidents recorded that year resulted in no disruption or only minor disruption to clients and transactions. The concentration risk underneath that performance is the more significant finding.
- Third-Party Failures Triggered Nearly One in Three Incidents
- Which Vendors are DORA Critical Third-Party Providers?
- Containment Measures Firm-Level Resilience, Not Sector-Wide Exposure
- DORA and the First Regulatory Map of ICT Concentration
- What DORA Supervisors Are Examining in 2026
- Frequently Asked Questions
Third-Party Failures Triggered Nearly One in Three Incidents
The ESAs note that a single third-party failure can generate incident reports at dozens of institutions simultaneously, because those institutions share the same provider. The report calls this a multiplier effect. Practitioners call it concentration risk: when the same exposure pools across firms with no coordinated way to manage it together.
That pooling reflects how the sector is structured. The ECB’s 2024 analysis of outsourcing registers, drawn from 2023 year-end data, found that more than 30% of significant EU banks’ total outsourcing budgets flow to just 10 providers, most headquartered outside the EU. Half of all critical outsourcing spending reaches only 30 providers. That distribution has held stable across multiple years of ECB data collection. European policymakers have started to respond: the Commission’s June 2026 tech sovereignty package aims to cut the bloc’s reliance on non-EU cloud, chip, and software providers. But the build-out is a multi-year effort, so concentration risk that institutions report against today is largely the concentration risk they will be managing for some time.
Which Vendors are DORA Critical Third-Party Providers?
In November 2025, the ESAs published the first official list of 19 Critical ICT Third-Party Providers under DORA. The list includes Amazon Web Services, Microsoft, Google Cloud, Bloomberg, LSEG Data and Risk, IBM, Fidelity National Information Services, Oracle, SAP, Accenture, Capgemini, Deutsche Telekom, Equinix, and Tata Consultancy Services. These providers now face direct ESA oversight: governance assessments, incident reporting obligations, and scrutiny of the resilience arrangements they maintain for financial sector clients.
The designation gives regulatory form to what the outsourcing data already showed. A significant share of EU financial services runs on a small number of shared platforms, and the full scope of third-party obligations under DORA now extends to understanding which critical functions sit on designated infrastructure and what that dependency requires of a firm’s own program.
Containment Measures Firm-Level Resilience, Not Sector-Wide Exposure
When incidents occurred in 2025, financial entities were generally able to detect and isolate them before they reached clients at scale. Two-thirds of the 3,383 incidents caused no or minor disruption. The ESAs credit timely detection, effective response, and containment measures, and the data supports that read.
Correlated failure sits outside that frame. In April 2025, the Spanish electrical grid went down for approximately 10 hours, affecting Portugal as well. Banks’ data centers operated on backup power; branches lost connectivity, point-of-sale terminals went offline, and customers across the region could not reach their banks. Preparations that worked at the firm level did not prevent a disruption that arrived from outside it.
The CTPP list formalizes that dynamic for ICT risk. When AWS or Azure experiences a significant outage, as each major cloud provider did at least once in 2025, individual banks’ internal resilience is a secondary consideration. The exposure moves at the speed of shared infrastructure.
DORA and the First Regulatory Map of ICT Concentration
DORA’s Register of Information requirements gave regulators, for the first time, actual contractual data across the EU financial sector aggregated at scale. The CTPP designation list was built from that data, making it the first formal, EU-sector-wide, evidence-grounded map of where ICT concentration actually sits.
Before DORA, regulators had visibility into concentration risk in aggregate terms. The ECB warned about it through successive outsourcing newsletters, and the data on budget concentration had been collected since 2022. Precise mapping required firms to disclose their actual ICT contractual arrangements in a form regulators could aggregate across the sector.
The CTPP designation process produced that map. Regulators used the submitted registers to identify which providers carried systemic significance across the sector, and the resulting list is the first formal acknowledgment, grounded in actual contractual data, that the sector’s operational risk is substantially defined by shared dependencies.
The ECB’s 2024 review found that 12% of critical outsourcing contracts at significant banks were noncompliant with existing requirements by the banks’ own reporting, and 60% of those contracts had not been audited in the prior three years. Firms entering DORA’s active supervision phase carry that gap as a live supervisory exposure.
What DORA Supervisors Are Examining in 2026
The institutions best positioned for DORA’s 2026 enforcement year are those whose third-party risk management frameworks reflect the concentration their vendor portfolios actually carry, with third-party risk monitoring programs built around ongoing exposure rather than point-in-time assessment.
Your TPRM program needs to account for how many critical functions depend on a single provider. Most can’t answer that question with confidence today. What substitutability actually looks like for each arrangement matters just as much. Exit strategies should be tested, not just documented.
DORA’s first incident report shows a sector that handled 3,383 major incidents with limited client impact. It also documents the concentration structure underneath that performance. Whether your program is built around that structure is what supervisors will examine next. The data to answer that question is already in your vendor portfolio.
Does your TPRM program support concentration risk monitoring?
Request a DemoFrequently Asked Questions
What did DORA’s first annual incident report find?
The ESAs’ first DORA incident report, published June 3, 2026, covered 3,383 major ICT incidents across the EU financial sector in 2025. Twenty-nine percent originated from third-party failures, one-third had cross-border impact, and two-thirds caused no or minor client disruption. System failures accounted for 51% of all incidents.
What are DORA’s Critical ICT Third-Party Providers?
Critical ICT Third-Party Providers (CTPPs) are vendors designated by the ESAs as systemically significant to EU financial services. In November 2025, 19 providers were named, including AWS, Microsoft, Google Cloud, Bloomberg, and LSEG. They now face direct ESA oversight, including mandatory governance assessments and incident reporting obligations.
What is ICT concentration risk under DORA?
ICT concentration risk arises when many financial institutions depend on a small number of shared providers for critical functions. The ECB’s 2024 data shows more than 30% of significant EU banks’ outsourcing budgets concentrate in just 10 providers. DORA requires firms to assess and document this exposure as part of their third-party risk program.
How does DORA’s incident reporting requirement work?
Under Article 19 of DORA, financial entities must submit an initial notification within four hours of classifying a major ICT incident, an intermediate report within 72 hours, and a final report within one month. Third-party-originated incidents must still be reported by each affected entity unless aggregated reporting conditions are met.
What should firms prioritize for DORA compliance in 2026?
Supervisory focus in 2026 centers on third-party risk management. Priority actions include maintaining a complete Register of Information, assessing concentration risk across CTPP-designated providers, ensuring Article 30 contractual provisions are in place, and testing rather than simply documenting exit strategies.
