Risk Horizon
Live

Intelligence generated by AI from public regulatory sources. Not investment or regulatory advice. Verify before relying on any output.

Signals
high·EBA · European Banking Authority

EBA Opinion on ICT Third-Party Concentration Risk Under DORA

The EBA published an opinion on systemic ICT third-party concentration risk, warning that critical cloud and security operations infrastructure providers present sector-level concentration exposures not visible at individual firm level. The opinion will inform designation criteria for critical ICT third parties subject to direct DORA oversight.

Materiality

Horizon

Near Term

Source Type

supervisory guidance

Published

15 September 2025

AI Commentary

This is a precursor to ESA designation of critical ICT third parties. Firms should assess their concentration exposure to likely designation candidates — hyperscalers and core banking vendors — and begin engagement with critical providers on their own DORA oversight preparation.

Related Themes

2 themes

Operational Resilience & Critical Third Parties

Operational Risk

established

Cyber Threat Intelligence & Incident Reporting

Cyber Risk

crystallising