The Concentration Risk Analysis page provides an automated, data-driven view of how dependent your organisation is on individual ICT third-party providers. It draws directly from the data you have entered in the Register of Information — providers, contracts, business functions, and sub-outsourcing records — and highlights areas of excessive reliance that could threaten your operational resilience.
Regulatory Context — DORA Article 31
Article 31 of DORA (Regulation EU 2022/2554) requires financial entities to identify, measure, and manage ICT concentration risk at entity level. Concentration risk arises whenever a single ICT provider — or a small group of closely related providers — accounts for a disproportionate share of the services, spend, or critical functions that keep your business running.
The question at the heart of Article 31 is straightforward: If this provider failed, how badly would we be affected, and how quickly could we find an alternative?
When does concentration become dangerous?
Concentration risk increases as any of the following grow:
- Spend share — A large percentage of total ICT expenditure goes to one provider.
- Critical function stacking — Multiple critical or important business functions depend on the same provider.
- Geographic clustering — Providers (and their sub-providers) are concentrated in one country or region, exposing the entity to correlated disruptions.
- Supply-chain depth — A provider sub-outsources to further parties, creating dependencies that are hard to monitor or control.
Article 31(3) criteria
When assessing concentration risk, DORA Article 31(3) requires financial entities to consider:
- Substitutability — Whether alternative providers exist, how easily services could be migrated, and whether data portability is practical.
- Multi-vendor strategy — Whether the entity has diversified its ICT supply across multiple providers to reduce single-point-of-failure exposure.
- Geographic diversity — Whether providers and their data centres are distributed across different jurisdictions to limit jurisdiction-specific risks (regulatory change, geopolitical instability, natural disaster).
Critical Third-Party Providers (CTPPs)
Under Article 31(1), the ESAs (European Supervisory Authorities) may designate an ICT provider as a Critical Third-Party Provider (CTPP) when the provider is so widely used that its failure could cause systemic disruption. Financial entities are expected to monitor whether their providers have been designated as CTPPs and to apply enhanced oversight accordingly. The Concentration Risk Analysis supports this by surfacing which providers are classified as critical and how many of your own critical functions rely on them.
Risk Flags
At the top of the page, Venvera automatically generates amber warning alerts based on the data in your register. These risk flags draw attention to situations that may require management action or further investigation. Examples include:
- >30% of total ICT spend on a single provider — Indicates that a significant portion of your budget (and likely your operations) depends on one vendor.
- ≥3 critical business functions supported by one provider — Signals a high-impact single point of failure.
- Significant geographic clustering — Multiple providers or sub-providers are headquartered in the same jurisdiction.
Each flag is displayed in a clearly visible amber alert box with a warning icon. They are generated every time the page loads, so the list reflects the most current state of your data.
Summary Cards
Below the risk flags, three summary cards provide a high-level snapshot:
| Card | What It Shows | Why It Matters |
|---|---|---|
| ICT Providers | Total number of ICT third-party providers in your register | A low count may indicate limited diversification; a high count may signal oversight complexity. |
| Total ICT Spend | Aggregate annual contract value across all providers, formatted in EUR | Establishes the denominator for all spend-percentage calculations below. |
| Critical Dependencies | Number of providers that support at least one critical business function | These are the providers whose failure could directly impair critical operations. |
The Four Analysis Panels
The core of the page is a two-by-two grid of analysis panels, each examining concentration from a different angle.
1. Spend Concentration
This panel lists the top 10 providers by share of total ICT spend. For each provider it shows:
- The provider name (linked to the provider detail page)
- A percentage figure indicating what fraction of total ICT spend goes to this provider
- A progress bar, colour-coded:
- Red — the provider accounts for more than 30% of total spend
- Amber — between 15% and 30%
- Blue — below 15%
- The absolute spend amount in EUR and the number of contracts contributing to that total
Why 30% matters. There is no explicit regulatory threshold at 30%, but supervisory guidance and industry practice treat a concentration above roughly one-third as a strong signal of dependency. At this level, losing the provider would require replacing a major share of your ICT services — likely exceeding what most exit plans can handle within acceptable timeframes.
2. Critical Function Dependencies
This panel identifies providers that support one or more critical business functions. For each provider it displays:
- The provider name (linked to the provider detail page)
- A count badge showing the number of critical functions the provider supports:
- Red badge — the provider supports 3 or more critical functions
- Amber badge — fewer than 3 critical functions
- Function tags — the names of the critical functions themselves, displayed as small inline labels
Why stacking critical functions on one provider is risky. If a single provider supports your payment processing, customer onboarding, and regulatory reporting, a disruption at that provider could simultaneously impair all three. DORA expects entities to identify these situations and to have exit strategies, alternative arrangements, or enhanced contractual protections in place.
If no providers are linked to critical functions, the panel shows guidance on linking functions to contracts so the analysis can be populated.
3. Geographic Concentration
This panel displays a country-level breakdown of your provider base in a table with four columns:
| Column | Description |
|---|---|
| Country | The country where the provider is headquartered |
| Providers | Number of providers in this country |
| Contracts | Number of contracts held with providers in this country |
| Spend % | Percentage of total ICT spend allocated to providers in this country |
Why geographic diversity matters. Providers concentrated in one region share exposure to the same risks: regulatory changes, political instability, natural disasters, or infrastructure failures. Article 31(3) specifically calls out the importance of geographic diversity when assessing substitutability. If 80% of your spend goes to providers in one country, a single jurisdiction-wide event could disrupt most of your ICT services simultaneously.
4. Sub-outsourcing Chains
This panel lists providers that sub-outsource part of their ICT service delivery to other parties. For each provider it shows:
- The provider name
- The countries where their sub-providers are located
- A purple badge with the number of sub-providers in the chain
Supply chain depth is a crucial dimension of concentration risk. Even if you have diversified your direct providers, those providers may all sub-outsource to the same cloud platform or data centre operator, re-creating concentration at a deeper level. This panel gives you visibility into the supply chain so you can assess whether hidden dependencies exist.
Interpreting Results
The concentration risk analysis is not a pass/fail check. It is a diagnostic tool that helps you form a judgement about your ICT dependency posture. Here is how to read the results:
If any amber warnings appear, treat each one as a topic that needs investigation. Document your rationale for accepting or mitigating the risk.
Providers with red progress bars (above 30%) should be subject to enhanced oversight, robust exit planning, and contractual audit rights per Article 30.
Providers with red count badges (3+ critical functions) represent your highest single-point-of-failure risk. Consider whether alternative providers could take over any of the functions.
If one country dominates the spend percentage, evaluate whether your BCP/DRP adequately covers a jurisdiction-wide disruption scenario.
Look for cases where multiple direct providers sub-outsource to the same downstream provider. This hidden convergence is easy to miss but can nullify your diversification efforts.
When to Escalate
You should bring concentration risk findings to management attention when:
- A single provider exceeds 30% of total ICT spend with no documented exit plan.
- More than 3 critical functions depend on the same provider.
- A provider has been designated as a CTPP by the ESAs and you have no alternative arrangement.
- Sub-outsourcing chains are opaque or extend into jurisdictions where regulatory enforcement is limited.