While the AFM and DNB recognise that dependence on non-European ICT service providers cannot be substantially reduced overnight, they do highlight measures that financial institutions can take to mitigate the risks of excessive reliance. In that respect, the AFM and DNB also note recent regulatory changes, including the EU Digital Operational Resilience Act (“DORA“), which requires European financial institutions to identify and manage their IT risks using sound and uniform methods. In addition, they point out issues that require concerted European efforts. The two authorities themselves also identify regulatory impediments to engaging European ICT service providers. We discuss the report’s key takeaways below.
The financial sector is built on ICT services
Financial companies build the backbone of their organisations largely using the same IT platforms from major US cloud service providers (also referred to as hyperscalers). In an NRC newspaper interview of 19 October in which the AFM and DNB discuss the associated risks and announce their report (Toezichthouders waarschuwen: Europa dreigt digitale kolonie te worden door techafhankelijkheid, in Dutch), Steven Maijoor, Chair of Supervision at DNB, also points out the prominent role of Israeli cybersecurity software providers and Indian ICT service providers.
Financial companies use external ICT services, to a greater or lesser degree, in all their business processes. On the one hand, this is driven by efficiency gains, cost reduction and alignment with client needs. On the other, it reflects a preference to outsource some of the management of ICT risks – ensuing from increased complexity and cyber risks – to specialised ICT service providers outside the company’s own organisation. Factors such as high redundancy (having duplicate or multiple infrastructure) and geographic distribution enable cloud service providers to safeguard data and ICT service availability better or more cost effectively than the financial companies themselves.
One of the key motivations behind the Report is the heightened geopolitical tension, combined with the dependence of European financial and other companies on a handful of US ICT service providers for their ICT services. In addition, the dominance of US AI platforms could further deepen dependence on US tech platforms in the future. These dependencies could be exploited for geopolitical purposes.
Relation to existing regulations
In force since 17 January 2025, DORA uniformly addresses ICT risks for a large group of financial companies in the European Union. The mandatory ICT registers of information provide insight into each financial company’s reliance on internal and external ICT processes and, at macro level, into concentration risks. Concentration of critical ICT services among a few systemically important suppliers of ICT services can create systemic risks. It makes the financial system’s stability dependent on the resilience and availability of external ICT services, as was again made painfully clear by the outage of critical services caused by the disruption at AWS.
DORA is a detailed and far-reaching regulatory package. It aims to ensure uniform management of ICT risks in the financial sector and regulates a wide range of aspects, including governance, risk assessments, contractual clauses and basic supervision of systemically important ICT service providers. However, it is on this last point that DORA seems to be falling short of expectations, even at this early stage following its entry into force. In its current form, DORA is inadequate to absorb systemic and geopolitical risks.
DORA provides a first step towards subjecting systemically important ICT service providers, under specific conditions, to a degree of EU supervision. While this is unique, as other EU financial sector regulations mainly target financial entities, the AFM and DNB feel that this approach will be insufficient to fully address geopolitical risks. They see specific opportunities to improve the DORA supervisory framework for non-EU critical ICT service providers. For example, they argue that the EU should assess DORA on this point and consider further guidance where necessary. In addition, implementing a mandatory law supervisory framework for critical IT service providers could also be worth exploring in due course.
The AFM and DNB note that, according to some financial companies and ICT service providers, DORA may lead to a reduction in the supply of ICT service providers, which would increase the concentration risk. This is mainly because some small ICT service providers cannot or will not comply with DORA and therefore discontinue their services to financial sector clients.
In addition, DORA can prompt financial companies to reduce the number of ICT services they purchase, in order to limit their administrative burden. According to the AFM and DNB, this is another factor that can result in services becoming more concentrated at fewer ICT service providers. At the same time, a reduction in the number of ICT services and ICT service providers on which financial companies rely can also lead to a more streamlined and manageable ICT landscape for those companies. The AFM and DNB should therefore also bear in mind that achieving simplification and rationalisation can be a deliberate strategy and, in itself, a legitimate objective that aligns with DORA’s goal.
Systemic risks
Activities being concentrated at a small number of ICT service providers has created concentration and ICT systemic risks. A failure at one ICT service provider can impact several institutions at once. This was clearly illustrated by the major outage at AWS, which, remarkably, happened on the same day that the Report was published (Amazon’s cloud business hit by widespread outage). AWS stated that, although the outage occurred in its US-EAST-1 Region geographical unit, technical issues plagued AWS clients worldwide. Financial companies in the United Kingdom, such as Lloyds Bank, Halifax and Bank of Scotland, as well as crypto exchange Coinbase and apps such as Snapchat, Duolingo, Pokémon GO, Roblox, Alexa and Ring doorbells, consequently suffered disruptions to their availability and services. For example, account holders at various English banks were unable to access their accounts or make any payments online for several hours.
Possible risk controls
The AFM and DNB conclude that, while financial companies recognise these geopolitical and systemic risks and usually perform intensive ICT risk management on that front, they can only partly mitigate these risks. Their measures may include drawing up exit plans and exit strategies, analysing the ICT landscape, and pursuing a multi-vendor strategy, which ensures that they do not rely on a single ICT service provider for all their ICT services. Nevertheless, there are still not enough equivalent EU IT service provider alternatives available and there are barriers to switching, giving rise to the risk of vendor lock-in. Absent any non-US alternatives, it is unrealistic to expect that dependence on US ICT service providers will diminish any time soon.
The AFM and DNB underscore the strategic importance of reducing this dependence in due course. However, enhancing Europe’s digital autonomy requires action at a European level, drawing on the solutions set out in the Draghi report. In addition, an EU supervisory authority dedicated specifically to cloud services might be more effective than the current fragmented EU approach, with several authorities dealing with cloud service providers, both in and outside the financial sector.
Although US hyperscalers’ EU operations offer data sovereignty solutions (which are usually more expensive and less flexible), the extent to which these organisational, operational and legal measures protect against state interference remains to be seen. Nevertheless, financial companies will have to be able to articulate the measures they have taken to ensure data sovereignty and security.
DNB and the AFM also point out that financial companies have the option of managing encryption keys in their own ICT environments rather than outsourcing this management to cloud service providers, in order to better protect data in the cloud against unauthorised access by state actors. However, this does not resolve the systemic risks that may ensue from system outage or data loss. Financial entities might also consider measures to increase the portability of their data and processes in cloud applications, making it easier to transfer them to other providers or to bring them back in-house.
Financial companies can, whether or not jointly, develop threat scenarios that focus on disruptive scenarios, and use these as a basis for performing tests on their (internal and external) ICT processes. This can give them more insight into the options that remain in a crisis scenario. Financial companies can also share threat intelligence more efficiently and – subject to applicable competition rules – take concerted action when contracting ICT services. The AFM and DNB are prepared to facilitate these initiatives. They will particularly focus their DORA and other supervision on financial companies’ preparations for disruptive scenarios and offer, where necessary, to facilitate collaboration among various financial institutions and IT service providers to support these scenario analyses.