Using cloud cost data for DORA concentration risk assessments

DORA places explicit obligations on financial entities to assess and mitigate concentration risk arising from ICT third-party arrangements. Cloud spend data, when structured correctly, forms one measurable input into that assessment.

Concentration risk under DORA

Article 28 requires financial entities to manage ICT third-party risk as part of the overall ICT risk management framework. This includes identifying cases where reliance on a single provider, or on a small number of providers, could affect the entity’s ability to deliver critical or important functions. The ESAs have emphasised that concentration at the level of the financial sector as a whole is also in scope when designating critical ICT third-party providers.

Article 28(8) and related provisions require documented exit strategies for arrangements that support critical or important functions. An exit strategy is difficult to cost or to test without visibility into the current consumption of the services being exited.

What cost data contributes to the analysis

A register of information records the existence of a contract and its classification. It does not quantify the financial entity’s dependence in operational or financial terms. Spend per provider, broken down by service family and by environment (production, disaster recovery, non-production), indicates the volume of workloads that would need to be moved under an exit scenario.

Trends over multiple quarters show whether dependence is increasing. A rising share of total cloud spend directed at one hyperscaler, even when multiple contracts exist, signals growing concentration. Cost data also supports the estimation of exit costs: data egress, parallel run periods, re-licensing of alternative services, and staff time for migration and testing.

Under the 2026 Register of Information cycle, entities that already tag ICT third-party arrangements by provider and by criticality classification can join spend reports directly to the register entries. This join reduces the chance that a supervisor receives a contract list that does not match the actual consumption profile presented in the risk assessment.

Tagging and allocation discipline

FinOps practice requires consistent tagging of resources by cost centre, environment, application, and provider. The same taxonomy, when extended with a “dora-criticality” or “ict-third-party” tag, turns ordinary cost allocation data into evidence for concentration analysis.

Without this discipline, finance teams produce monthly burn-down reports while risk and compliance teams maintain separate spreadsheets. The two artefacts diverge, and the entity cannot demonstrate that the concentration risk assessment used current, accurate consumption figures.

Tools that surface provider-level spend, forecast migration costs for a given workload set, and export tagged data in formats acceptable to audit and supervisory processes close the gap. The same data set serves the annual budget process and the DORA risk reporting cycle.

Overlap with NIS2 resilience obligations

Financial entities that are also in scope of NIS2 face overlapping expectations on supply-chain risk and on the resilience of network and information systems. Concentration in a single cloud provider creates a shared dependency that affects incident response and recovery timelines under both regimes. Cost data that identifies the scale of the dependency provides a starting point for the multi-provider or exit options that both directives expect entities to consider.

Entities that integrate FinOps outputs into their ICT risk management artefacts satisfy multiple supervisory questions from a single source of truth rather than reconciling separate views after the fact.

See Cloud Horizons for spend attribution and forecasting features that support concentration risk records.