Supervision release 26 May 2023 – 28/2023

Thematic assessment: state of ICT outsourcing among supervised entities

The FIN-FSA has conducted a thematic assessment examining the current state of outsourcing of information and communication technology (ICT) by entities supervised by it, and the potential concentration of outsourcing to the same providers.

No significant concentration risks among ICT outsourcing partners

Supervision of the digitalising financial sector is one of the focus areas in the FIN-FSA’s strategy. In recent years, the FIN-FSA has detected an increase in the number of outsourcing notifications from supervised entities. The concentration of ICT outsourcing and other service production in the financial sector to the same providers is a risk that becomes emphasised as the number of outsourcing arrangements increases. Therefore, the FIN-FSA has examined whether ICT outsourcing among its supervised entities is potentially concentrated to the same providers. The information was collected in autumn 2022 with a survey that was answered by approximately 150 of the FIN-FSA's most important supervised entities.

Based on the information collected, outsourcing in the Finnish financial sector is not heavily concentrated. There are important ICT outsourcing partners in different sectors, but no such providers whose problems would have a significant detrimental impact on the operation of supervised entities across the whole sector. Based on the information collected, no ICT outsourcing partner was identified whose problems would cause an extensive disruption in the entire financial sector. Furthermore, analysis of the results did not reveal any ICT outsourcing partners whose significance had not already been recognised.

However, the significance of large cloud service providers has increased in recent years, and their role is likely to become critical at some point. The FIN-FSA supervises the development of outsourcing in the ICT field. The FIN-FSA stresses that as ICT outsourcing increases, it is important to see that supervised entities have enough expertise related to the management of risk in ICT outsourcing. Supervised entities must also ensure that notifications concerning ICT outsourcing are submitted without delay to the FIN-FSA.

New regulation to introduce tighter supervision of ICT outsourcing in the financial sector

The concentration of ICT outsourcing may pose risks with different levels of probability and impact to the continuity of services of outsourcing clients. The EU’s Digital Operational Resiliency Act (DORA)1 focuses on this risk by introducing a dedicated oversight framework for EU-wide outsourcing partners of the financial sector. Following DORA, supervised entities must provide information on outsourcing in a standardised format, and the information will be collected in a harmonised manner throughout Europe. DORA will apply as of 17 January 2025. The FIN-FSA will provide more detailed guidance to its supervised entities about DORA's requirements.

For further information, please contact

Juha Kalm, Senior Specialist, telephone +358 9 183 5525. The email address is in the format firstname.lastname(at)

1Digital Operational Resiliency Act


The corresponding Finnish-language supervision release was published on 8 March 2023