THREAT BRIEFING · 15.07.2026 DEENFRES

Strategy & Governance

The concentration risk no supplier audit sees

By Tobias Massow · July 8, 2026 · 7 min read

Ten of your suppliers passed the audit. Each one clean on its own. And yet all ten go silent as soon as a single hyperscaler fails on which they run together unnoticed. This is concentration risk. No audit of any individual supplier makes it visible.

Key Takeaways

  • The individual audit does not see the pattern. Third-party management evaluates each supplier on its own. Concentration risk only arises across the entire portfolio, where many paths lead to the same provider.
  • The fourth party is missing from the contract. Your provider’s provider, its data center, its network service provider extend the chain with links that no one signed.
  • DORA leads the way. The financial sector must assess its dependence on a few irreplaceable providers and maintain the full chain of sub-service providers. The pattern applies far beyond the financial industry.
  • The Board steers, not the checklist. Concentration must be visible at the portfolio level: substitutability, exit capability, multi-provider strategy, stress test for the failure of a node.

Related: Five metrics the supervisory board really understands  ·  The AI Act is in truth a security law

Why Individual Audits Overlook Concentration Risk

Third-party risk management evaluates each supplier in isolation: certificates, questionnaires, a score. At the end is a traffic light. Ideally every one is green. But the risk is not in the individual supplier. It sits in the sum. When twenty green-rated suppliers all run on the same cloud provider, the same identity service, or the same region, a failure there takes all twenty offline at the same time. The individual assessment cannot show this structurally.

The supervisory authorities have recognized exactly this gap. For DORA they require concentration assessment at the portfolio level. They explicitly do not accept individual vendor scores. The stance for 2026 is enforcement-oriented, not advisory.

Recent history delivers the pattern entirely without finger-wagging. Major cloud and CDN outages have repeatedly shown how the failure of a single provider takes hundreds of seemingly independent services offline at the same minute, from the payment app to the government website. None of these services had a bad supplier. They had the same one.

Definition · Fourth-Party Risk

The risk arising from the sub-service providers of one’s own supplier. The cloud provider of the service provider, its data center, its network operator form a chain that often does not appear in one’s own contract but fully impacts in the event of failure.

30 Providers

bundle half of the critical outsourcing expenditures of major EU banks (ECB 2024)

19

critical IT service providers named by the EU supervisory authorities in November 2025

Art. 30(5)

DORA explicitly regulates the chain of subcontractors

The Fourth Party: The Link Missing from the Contract

The direct supplier is the third party. Its cloud provider, its data center, its network service provider are the fourth, fifth, sixth. This chain rarely stands in the contract and even less often in the risk register. DORA addresses exactly this hidden depth: For critical functions the provider requires the customer’s written consent before passing on essential parts. It must report changes in the subcontractor stack in advance.

For practice this means only one thing: The review must not end with the contractual partner. Whoever does not know the fourth party does not know their true outage risk. The friendly-sounding sentence “We use a leading cloud provider” is in doubt the description of a shared single point of failure.

> 30 %

of the total outsourcing budgets of major EU banks flow to only ten providers

Source: ECB analysis 2024

What DORA Demonstrates to the Rest of the Economy

DORA, the Digital Operational Resilience Act, applies to the financial sector. The largest regulatory block of the regulation concerns the management of IT third parties. Two obligations from it are instructive for every industry. First, the explicit assessment of whether a company depends dangerously on a few or irreplaceable providers. Second, a register of all contractual relationships with IT service providers, including the complete chain of subcontractors. On this basis, the European supervisory authorities designate critical providers and place them under direct supervision.

The register is more than bureaucracy. It is the only instrument that makes concentration calculable at all. Only when all contracts, functions, and sub-service providers converge in one place can the question be answered how many critical processes actually depend on a single provider. Without this picture, every statement about concentration remains a conjecture.

The financial sector is a pioneer here, not a special case. Cloud concentration, a dominant identity service, an overloaded region: the same pattern affects industry, commerce, and public administration. DORA primarily provides a blueprint for how to make concentration visible before it becomes an outage.

What a Board Must Steer Now

Concentration risk is a leadership task, not a detail of procurement. Five levers belong on the board agenda. None of them can be delegated to a supplier list.

A green portfolio is not the same as a resilient one.

Concentration risk does not disappear because every single traffic light lights green. It only becomes visible when someone asks the question that no supplier audit asks: Of what we have purchased, what actually hangs on the same thread?

Frequently Asked Questions

Each question is locked. Tapping unlocks the answer.

What is concentration risk in the supply chain?

The dangerous dependence on a few or irreplaceable providers. It does not arise with an individual supplier but across the entire portfolio when many suppliers build on the same provider, the same region, or the same service.

How does this differ from the classic supplier audit?

The audit evaluates each supplier individually. Concentration risk only becomes visible in the sum. That is why supervisors under DORA require assessment at the portfolio level and explicitly do not accept individual vendor scores.

What does fourth-party risk mean?

The risk from the sub-service providers of one’s own supplier. When the service provider itself builds on a hyperscaler, a data center, or a network operator, the chain is extended by links that usually do not appear in one’s own contract.

Does DORA also apply outside the financial sector?

Legally DORA obligates the financial sector. The principle of assessing concentration at the portfolio level and maintaining the subcontractor chain is, however, transferable to industry, commerce, and administration. DORA provides the blueprint, not the boundary.

What is the first step for a board?

A concentration map across the entire supplier portfolio. It shows where many paths lead to the same provider. Only then can substitutability, exit, and multi-provider strategy be meaningfully steered.

Editor’s Picks

Editor’s PickSupply Chain Risk Is a Program, Not an Audit ChecklistEditor’s PickWhat Is DORA? Definition, Obligations, and DeadlinesEditor’s PickThe weakest supplier opens the critical facility

More from the MBF Media Network

Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform

Image source: AI-generated (July 2026)

Further reading

News · July 2, 2026

When Attackers Are Faster Than the Patch

Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

A magazine by Evernine Media GmbH