DNB and AFM Joint Report on digital dependence in the financial sector

1. Digital dependency risks

The report states that the financial sector’s dependence on non-European tech companies is growing. As financial institutions increasingly rely on external technology providers to support critical processes, business continuity, cyber security and data sovereignty face increased risks. Therefore, DNB and the AFM conclude that reducing the financial sector’s reliance on non-European IT vendors is strategically critical.

1.1 Background

Financial institutions have increasingly transferred operational responsibility for IT infrastructure to external IT service providers. As a result, these IT service providers now fulfil both supportive roles (such as customer interactions) and critical functions (such as management and compliance). This leads to the current situation in which institutions are heavily dependent on third parties for networks for real-time transactions, public cloud platforms and secure data centres for data storage and hosting.

1.2 Risks in the current situation

The joint report describes the key risks related to digital dependence.

First, there are concentration risks: institutions have shifted from outsourcing IT functions to various IT service providers to depending on one or just a few ‘hyperscalers’. Failures and cyber incidents at a single provider can simultaneously affect entire chains of service providers and multiple financial institutions simultaneously, particularly as more operations within financial institutions become digitalised.

Beyond concentration risks, DNB and the AFM emphasize the risks associated with dependence on non-EU IT service providers, as geopolitical tensions can result in service interruptions affecting entire chains of service providers and, consequently, financial institutions. Currently, there are few EU alternatives for IT service providers, although sovereign cloud solutions are being developed in the EU.

Furthermore, ‘vendor lock-in’ makes mitigating these risks increasingly difficult. IT functions are generally developed for particular cloud platforms used by the respective financial institutions, which makes migrating functions to other platforms costly and time-consuming.

Finally, DNB and AFM emphasize compliance risks with privacy legislation arising from IT services outsourcing when data is processed or stored outside the EU.

2. Risk management

2.1 Financial institutions

DNB and the AFM surveyed financial institutions and IT vendors on the risk management of digital dependence. Financial institutions are generally aware of the dependence risks but argue that the dominance of non-EU hyperscalers makes it impossible to effectively mitigate concentration of IT services. Beyond risk awareness, institutions are using open standards and ‘containerisation technologies’ (i.e., running IT functions on infrastructure of the institution’s choice) to avoid vendor lock-in, thereby easing the potential migration of IT functions. 
Additionally, institutions explore scenarios involving service discontinuation or interruption and prepare appropriate mitigation measures. They also map the subcontractors and supply chain partners of their key IT service providers in accordance with Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) requirements.

2.2 IT service providers

From the perspective of IT service providers, risk management involves compliance with DORA requirements (including contracts with uptime guarantees, exit options, and audit rights) and the development of European sovereign cloud solutions. Some IT service providers enable financial institutions to manage and secure their own encryption keys, thereby preventing unauthorized access by the service providers themselves.

3. Supervision and policy

As mentioned, there are currently very few EU IT service providers that offer comprehensive service offerings comparable to non-EU big tech companies. Nonetheless, the supervisors’ long-term objective is for financial institutions to transition from non-EU service providers to EU service providers.
In both the short and long term, financial institutions’ compliance with digital resilience legislation, including DORA and applicable national law, remains of paramount importance.

Under DORA, financial institutions retain full responsibility for the financial services they provide. Contracts must include provisions addressing exit strategies and IT service continuity. Additionally, institutions must consider restrictive measures (e.g., sanctions) in their risk analyses and conduct periodic resilience testing. DORA also requires institutions to assess indirect (third-party) dependencies throughout the entire chain of IT service providers by maintaining a ‘DORA Register of Information’, which provides insight into the institutions’ relevant concentration risks.
Similarly, the Dutch Wet op het financieel toezicht (Financial Supervision Act) imposes outsourcing risk obligations on financial institutions that fall outside DORA's scope (e.g., settlement agents, basic insurers).

Furthermore, DNB and the AFM will cooperate with the Dutch Data Protection Authority (AP), the Dutch Authority for Consumers and Markets (ACM), and the Dutch Authority for Digital Infrastructure (RDI) to supervise compliance with legislative requirements insofar as they affect the financial sector.

The AP oversees the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), which establishes rules for third-party data storage and processing and the conditions for transferring personal data outside the EU. The Network and Information Security Directive 2 (Directive (EU) 2022/2555, NIS2), likely entering into force in the second quarter of 2026, establishes rules for enhancing cybersecurity resilience among critical infrastructure across the EU, including certain financial institutions, and will be overseen by the RDI in the Netherlands. Additionally, the ACM has overseen the Data Act (Regulation (EU) 2023/2854) since September 2025. The Data Act establishes rules for data sharing, including interoperability among cloud service providers (i.e., enabling vendor switching).

Recommendations for mitigating dependency risks

DNB and the AFM provide recommendations in their report for mitigating dependency risks. Compliance with DORA requirements and planning for disruptive scenarios are of paramount importance. The supervisors make the following recommendations for specific scenarios:

1. Geopolitical sanctions resulting in the cessation of operations by key third-party suppliers.
   Financial institutions should: (i) transition to EU-sovereign cloud solutions; (ii) participate in EU-wide IT standardisation and harmonisation platforms; and (iii) formalise intra-EU collaboration by specifying services to be delivered and identifying responsible guarantors.
2. Hybrid attacks by state actors aimed at disruption.
    Financial institutions should share threat intelligence and conduct joint exercises with service providers. Additionally, institutions should develop threat scenarios that include mitigation strategies and prepare non-IT forms of data processing.

More generally, the supervisors recommend that institutions:

• Adopt a multi-vendor strategy: institutions should explore alternative suppliers to support critical services.
• Consider using open standards and open-source solutions to mitigate vendor lock-in.
• Implement containerisation as this allows easier migration of IT functions across providers and infrastructure.
• Adopt the use of proprietary keys to achieve a higher level of data sovereignty.

Finally, DNB and AFM have set forth two expectations for financial institutions.

1. Financial institutions should consult the DORA Register of Information to identify their concentration risks and dependencies. Consequently, further concentration and lock-in risks can be avoided, while maintaining vigilance against new concentration and lock-in risks; and
2. Institutions must appropriately manage risks arising from third-party dependencies. Following the assessment of current dependencies, including consultation of the DORA Register, institutions may implement the four measures recommended by the supervisors to mitigate dependency risks.

For a detailed summary of the DNB and AFM report, including digital dependencies and associated risks, current risk mitigation approaches by financial institutions and IT service providers, and supervision of existing and forthcoming legislation, please refer to our comprehensive article.