DORA Article 31 requires financial entities to assess and manage ICT concentration risk — the danger of over-reliance on a single provider, a small number of providers, or providers concentrated in a particular geography. The Concentration Risk Analysis page brings together data from across your Register of Information to identify and visualise these risks.

Risk Flags

At the top of the page, amber warning boxes highlight the most significant concentration risks detected in your register. These flags are generated automatically based on thresholds such as:

  • A single provider accounting for more than 30% of total ICT spend
  • A single provider supporting 3 or more critical business functions
  • More than 50% of contracts governed by a single jurisdiction
  • Deep sub-outsourcing chains without exit plans

Summary Cards

Three summary cards provide a high-level overview:

CardDescription
ICT ProvidersTotal number of registered ICT providers
Total ICT SpendSum of annual costs across all active contractual arrangements
Critical DependenciesNumber of providers classified as Critical that support critical business functions

Analysis Panels

The page is divided into four analysis panels, each examining concentration risk from a different angle:

1. Spend Concentration

This panel ranks the top 10 providers by annual ICT spend. Each provider is shown with a horizontal progress bar representing their share of total spend:

  • Red bar — provider accounts for more than 30% of total spend (high concentration risk)
  • Amber bar — provider accounts for 15% to 30% of total spend (moderate concentration risk)
  • Blue bar — provider accounts for less than 15% of total spend (acceptable)

Each row also shows the absolute spend amount and the number of active contracts with that provider.

⚠️
Regulators consider spend concentration above 30% with a single provider as a significant risk indicator. Develop contingency plans and exit strategies for any provider in the red zone.

2. Critical Function Dependencies

This panel shows which providers are linked to critical business functions. Each provider row displays:

  • The provider name
  • The count of critical functions they support
  • Colour coding: Red if the provider supports 3 or more critical functions, Amber if fewer than 3
  • Function tags — small labels showing the names of each critical function the provider supports

3. Geographic Concentration

This panel presents a country-level table showing the geographic distribution of your ICT dependencies:

ColumnDescription
CountryThe country name and flag or code
ProvidersNumber of ICT providers headquartered in this country
ContractsNumber of contractual arrangements governed by or provisioned from this country
Spend %Percentage of total ICT spend attributed to providers in this country

4. Sub-outsourcing Chains

This panel examines the depth and breadth of your ICT service supply chains. For each provider with sub-outsourcing arrangements, the panel shows:

  • The provider name
  • The count of sub-outsourcing chains (total number of sub-providers across all tiers)
  • The countries list where sub-providers are located
💡
Use the concentration risk analysis to inform your exit strategy planning and diversification decisions. Present this data in board reports to demonstrate DORA Art 31 compliance to senior management.