Skip to main content
Vermont Solutions

Glossary · Critical cloud · ICT risk

Cloud concentration risk: dependence as systemic risk

Cloud concentration risk is the exposure created when many institutions depend on a small number of providers —the hyperscalers— for critical functions. Under DORA, that dependence stops being an internal matter and is monitored as systemic risk: the failure of a single provider could affect a substantial part of the sector at once.

How it is managed

  • Dependency mapping — an inventory of which critical functions depend on which provider, down to the relevant subcontractor.
  • Exit strategy — a documented and tested plan to leave each critical provider without interrupting essential functions.
  • Reversibility — the technical ability to take data and workloads to another provider or back on-premise, using open formats and tools.
  • Multicloud — spreading workloads across providers or maintaining credible alternatives so as not to depend on a single one.

Why it matters in banking and insurance

For the supervisor, the question is not whether an institution uses the cloud, but what would happen if its critical provider failed —and whether that same provider underpins half the banking sector at once. That is why DORA (Regulation (EU) 2022/2554) elevates concentration risk to a matter of oversight and empowers the European authorities to supervise critical ICT providers directly. The institution's response is demonstrable: dependency mapping, a tested exit strategy and real reversibility, usually supported by multicloud architectures.

How Vermont Solutions helps

ICT risk governance and a demonstrable exit strategy

Vermont supports financial institutions in mapping their dependence on critical providers, designing verifiable exit strategies and the multicloud reversibility required by the operational resilience framework.

See governance and compliance →

Fuentes

Last updated: 2026-06-21. Editorial content by Vermont Solutions, citable with attribution.