The concentration risk no supplier audit sees
Ten of your suppliers passed the audit. Each one clean on its own. And yet all ten go silent as soon as a single hyperscaler fails on which they run together unnoticed. This is concentration risk. No audit of any individual supplier makes it visible.
Key Takeaways
- The individual audit does not see the pattern. Third-party management evaluates each supplier on its own. Concentration risk only arises across the entire portfolio, where many paths lead to the same provider.
- The fourth party is missing from the contract. Your provider’s provider, its data center, its network service provider extend the chain with links that no one signed.
- DORA leads the way. The financial sector must assess its dependence on a few irreplaceable providers and maintain the full chain of sub-service providers. The pattern applies far beyond the financial industry.
- The Board steers, not the checklist. Concentration must be visible at the portfolio level: substitutability, exit capability, multi-provider strategy, stress test for the failure of a node.
Related: Five metrics the supervisory board really understands · The AI Act is in truth a security law
Why Individual Audits Overlook Concentration Risk
Third-party risk management evaluates each supplier in isolation: certificates, questionnaires, a score. At the end is a traffic light. Ideally every one is green. But the risk is not in the individual supplier. It sits in the sum. When twenty green-rated suppliers all run on the same cloud provider, the same identity service, or the same region, a failure there takes all twenty offline at the same time. The individual assessment cannot show this structurally.
The supervisory authorities have recognized exactly this gap. For DORA they require concentration assessment at the portfolio level. They explicitly do not accept individual vendor scores. The stance for 2026 is enforcement-oriented, not advisory.
Recent history delivers the pattern entirely without finger-wagging. Major cloud and CDN outages have repeatedly shown how the failure of a single provider takes hundreds of seemingly independent services offline at the same minute, from the payment app to the government website. None of these services had a bad supplier. They had the same one.
Definition · Fourth-Party Risk
The risk arising from the sub-service providers of one’s own supplier. The cloud provider of the service provider, its data center, its network operator form a chain that often does not appear in one’s own contract but fully impacts in the event of failure.
bundle half of the critical outsourcing expenditures of major EU banks (ECB 2024)
critical IT service providers named by the EU supervisory authorities in November 2025
DORA explicitly regulates the chain of subcontractors
The Fourth Party: The Link Missing from the Contract
The direct supplier is the third party. Its cloud provider, its data center, its network service provider are the fourth, fifth, sixth. This chain rarely stands in the contract and even less often in the risk register. DORA addresses exactly this hidden depth: For critical functions the provider requires the customer’s written consent before passing on essential parts. It must report changes in the subcontractor stack in advance.
For practice this means only one thing: The review must not end with the contractual partner. Whoever does not know the fourth party does not know their true outage risk. The friendly-sounding sentence “We use a leading cloud provider” is in doubt the description of a shared single point of failure.
of the total outsourcing budgets of major EU banks flow to only ten providers
Source: ECB analysis 2024
What DORA Demonstrates to the Rest of the Economy
DORA, the Digital Operational Resilience Act, applies to the financial sector. The largest regulatory block of the regulation concerns the management of IT third parties. Two obligations from it are instructive for every industry. First, the explicit assessment of whether a company depends dangerously on a few or irreplaceable providers. Second, a register of all contractual relationships with IT service providers, including the complete chain of subcontractors. On this basis, the European supervisory authorities designate critical providers and place them under direct supervision.
The register is more than bureaucracy. It is the only instrument that makes concentration calculable at all. Only when all contracts, functions, and sub-service providers converge in one place can the question be answered how many critical processes actually depend on a single provider. Without this picture, every statement about concentration remains a conjecture.
The financial sector is a pioneer here, not a special case. Cloud concentration, a dominant identity service, an overloaded region: the same pattern affects industry, commerce, and public administration. DORA primarily provides a blueprint for how to make concentration visible before it becomes an outage.
What a Board Must Steer Now
Concentration risk is a leadership task, not a detail of procurement. Five levers belong on the board agenda. None of them can be delegated to a supplier list.
- Map concentration. Make visible across the entire portfolio where many suppliers hang on the same provider, the same region, or the same service.
- Check substitutability. For every critical function, answer how quickly a replacement provider could take over.
- Prepare exit. Build contracts and architecture so that switching a provider remains possible before it becomes necessary.
- Multi-provider strategy. Deliberately distribute critical functions across multiple providers instead of relying on an efficiency monoculture.
- Simulate outage. The stress test does not ask whether a supplier fails. It asks what happens when a concentration node fails.
A green portfolio is not the same as a resilient one.
Concentration risk does not disappear because every single traffic light lights green. It only becomes visible when someone asks the question that no supplier audit asks: Of what we have purchased, what actually hangs on the same thread?
Frequently Asked Questions
Each question is locked. Tapping unlocks the answer.
What is concentration risk in the supply chain?
The dangerous dependence on a few or irreplaceable providers. It does not arise with an individual supplier but across the entire portfolio when many suppliers build on the same provider, the same region, or the same service.
How does this differ from the classic supplier audit?
The audit evaluates each supplier individually. Concentration risk only becomes visible in the sum. That is why supervisors under DORA require assessment at the portfolio level and explicitly do not accept individual vendor scores.
What does fourth-party risk mean?
The risk from the sub-service providers of one’s own supplier. When the service provider itself builds on a hyperscaler, a data center, or a network operator, the chain is extended by links that usually do not appear in one’s own contract.
Does DORA also apply outside the financial sector?
Legally DORA obligates the financial sector. The principle of assessing concentration at the portfolio level and maintaining the subcontractor chain is, however, transferable to industry, commerce, and administration. DORA provides the blueprint, not the boundary.
What is the first step for a board?
A concentration map across the entire supplier portfolio. It shows where many paths lead to the same provider. Only then can substitutability, exit, and multi-provider strategy be meaningfully steered.
Editor’s Picks
Editor’s PickSupply Chain Risk Is a Program, Not an Audit ChecklistEditor’s PickWhat Is DORA? Definition, Obligations, and DeadlinesEditor’s PickThe weakest supplier opens the critical facility
More from the MBF Media Network
Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform
Image source: AI-generated (July 2026)





