De Nederlandsche Bank and the Netherlands Authority for the Financial Markets publish report warning on growing financial sector dependence on a small set of IT providers

De Nederlandsche Bank (DNB) and the Netherlands Authority for the Financial Markets (AFM) have published a report on banks’, insurers’ and pension funds’ increasing reliance on external digital infrastructure, particularly cloud services and AI-related tools, and the risks created by concentrated dependencies on a limited number of providers. The report highlights sector-wide exposure if a major supplier suffers an outage or disruption, elevated geopolitical vulnerability where key providers are non-European, and “vendor lock-in” that can make switching providers technically difficult and costly. It also points to risks arising from complex subcontracting chains that are hard to monitor, with potential consumer impacts ranging from service outages to concerns about data sovereignty. Mitigations cited include strengthened exit strategies and continuity planning, more granular mapping of dependencies, and technical approaches such as containerisation, alongside supplier offerings such as sovereign cloud models and customer-controlled encryption keys, while noting that concentration and geopolitical risks may persist. The report situates these issues alongside the EU Digital Operational Resilience Act (DORA), which tightens third-party risk management, contract, exit and continuity expectations and introduces European oversight of critical IT suppliers, and calls for cross-border supervisory cooperation and consideration of a dedicated European cloud regulator and stronger European alternatives in cloud and AI.