European Central Bank (ECB) Banking Supervision published a Supervision Newsletter summarising its 2024 analysis of significant institutions’ outsourcing registers, pointing to growing reliance on outsourced critical services, particularly cloud-based ICT, alongside vulnerabilities in banks’ IT outsourcing strategies. The update links these trends to supervisors’ focus on remediating deficiencies in IT outsourcing, IT security and cyber risk, and to the EU’s Digital Operational Resilience Act (DORA). Year-end 2023 data show the share of administrative expenses spent on outsourcing rose to 7.2% from 6.8%. Average ICT outsourcing expenditure per significant institution increased by 2.1% to around EUR 83.9 million, although ICT’s share of total outsourcing spending fell to 47% from 49% as other categories grew, with payment services and cash management at 10% and 8%. Cloud outsourcing expanded further, with nearly all banks outsourcing cloud-based critical functions and average cloud spending per significant institution up 13.5% to around EUR 57.0 million. Supply chains remained complex, with contracts averaging four subcontractors and 67% involving sub-outsourcing to external providers, including 52% of intragroup contracts sub-outsourced externally. Substitutability indicators deteriorated, with the share of outsourced critical functions that are difficult or impossible to substitute increasing to 82% from 80%, and 95% of these also difficult or impossible to reintegrate. Dependence on non-EU locations increased, with the proportion of critical ICT contracts with external providers located outside the EU rising to 27% from 22% and the number of critical services provided from non-EU countries up 36%, particularly involving the United Kingdom, United States and India. Concentration remained high, with half of the budget spent on only 30 external providers. ECB Banking Supervision underlines the need for stronger third-party risk management and alignment with DORA for ICT contracts, and flags heightened geopolitical risk considerations when critical ICT services are sourced from outside the EU.
European Central Bank - Banking Supervision 2025-02-19
European Central Bank Banking Supervision highlights rising cloud outsourcing, provider concentration and non-EU ICT dependencies
The ECB Banking Supervision's 2024 analysis highlights a growing reliance on outsourced critical services, particularly cloud-based ICT, among significant institutions, with increased spending and complex supply chains. The report emphasizes the need for improved third-party risk management and alignment with the EU's Digital Operational Resilience Act (DORA), noting heightened geopolitical risks from sourcing critical ICT services outside the EU.