On 20 October 2025, the Dutch Authority for Financial Markets (Autoriteit Financiële Markten, the AFM) and the Dutch Central Bank (De Nederlandsche Bank, DNB) published a report about digital dependency in the financial sector. The key message is that the Dutch financial sector faces systemic risks as it has a growing reliance on a limited number of non-EU IT providers. The regulators identify several dependency risks, assess how these are managed and set out the applicable legal and regulatory framework in relation to digital dependency.

The financial sector increasingly depends on external IT service providers and cloud environments, which leads to concentration and systemic risks. These risks are especially present where geopolitical developments may result in that dependence being exploited by state actors. Another risk is ‘vendor lock-in’, as migrating to another system is more complex once an entity operates within a specific ecosystem. Cyber attacks continue to pose a risk, the impact of which has increased significantly over time. Finally, outsourcing data storage and processing to cloud service providers raises issues around data protection, supervision, and compliance. The AFM and DNB have applied a scenario analysis, from which it follows that a stronger EU tech sector is necessary to prevent the EU from being vulnerable to technological disruptions resulting from geopolitical disruptions.

The AFM and DNB find that financial institutions are aware of these risks, but that often, an EU alternative with the same quality as non-EU tech providers, such as cloud service providers, is lacking. Where financial institutions can choose from multiple vendors, they will do so. They do not deem it feasible or realistic to switch to their own data centres or co-location. Financial institutions apply risk management regarding IT risks, closely map which (sub-)contractors and chain partners their primary supplies work with and have exit and business continuity plans in place regarding critical third parties.

The Digital Operational Resilience Act (Directive (EU) 2022/2554, DORA) aims to manage the risks associated with third-party IT service providers. The most critical IT supplies at EU level are subject to supervision under DORA. Although the current legal and regulatory framework contribute to this risk management, vulnerabilities remain. On the short term, financial institutions should take measures to prepare for disruptive scenarios and to mitigate the potential impact where possible. In the longer term, the EU should become less dependent on non-EU IT providers and achieve a greater degree of digital autonomy, among others by developing EU alternatives. The AFM and DNB suggest that EU policymakers should consider establishing a cross-sectoral European cloud regulator.

The report is available here (Dutch only).