DORA-Art31-P1

Article
31 (1)
Pillar
Third-Party ICT Risk Management
Regulation Ref
Regulation (EU) 2022/2554, Article 31(1)
Last Reviewed
2026-01-15

Financial entities shall assess the concentration risk arising from the use of ICT services provided by ICT third-party service providers, taking into account the degree of substitutability of the ICT third-party service providers.

Evidence Profiles

ICT Concentration Risk Assessment PARTIAL

Assessment of concentration risk arising from dependency on ICT third-party service providers, including single-provider dependencies, geographic concentration, and systemic risk analysis as required by DORA Article 31.

Formats
PDF
Evidence Class
concentration-risk-assessment
Availability
PARTIAL
Update Frequency
annual
Typical Author
Risk Manager
Approval Chain
Risk Manager → CRO → Board Risk Committee

Content Sections

Expected Fields

Common Quality Issues

ICT Provider Substitutability Analysis RARE

XML-structured analysis of the substitutability of ICT third-party service providers, including alternative provider identification, switching costs, and transition feasibility as required by DORA Articles 31-32.

Formats
XML
Evidence Class
substitutability-analysis
Availability
RARE
Update Frequency
annual
Typical Author
Enterprise Architect
Approval Chain
Enterprise Architect → CIO → CRO

Content Sections

Expected Fields

Common Quality Issues

Fact Schemas

concentration_risk_assessment_status

Schema ID
fs-concentration-risk-assessment
Control
DORA-Art31-P1

Valid Ranges

assessment_date
within last 12 months
single_provider_dependencies
should be minimised for critical services

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "concentration_risk_within_tolerance": {
      "type": "boolean"
    },
    "geographic_concentrations_identified": {
      "minimum": 0,
      "type": "integer"
    },
    "mitigation_actions_defined": {
      "minimum": 0,
      "type": "integer"
    },
    "mitigation_actions_implemented": {
      "minimum": 0,
      "type": "integer"
    },
    "service_concentrations_identified": {
      "minimum": 0,
      "type": "integer"
    },
    "single_provider_dependencies": {
      "minimum": 0,
      "type": "integer"
    },
    "total_providers_assessed": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "assessment_date",
    "total_providers_assessed",
    "single_provider_dependencies",
    "geographic_concentrations_identified"
  ],
  "type": "object"
}

substitutability_analysis_status

Schema ID
fs-substitutability-analysis
Control
DORA-Art31-P1

Valid Ranges

analysis_date
within last 12 months
alternative_providers_identified
at least 1 for substitutable providers

Related Schemas

JSON Schema

{
  "properties": {
    "alternative_providers_identified": {
      "minimum": 0,
      "type": "integer"
    },
    "analysis_date": {
      "format": "date",
      "type": "string"
    },
    "data_portability_feasible": {
      "type": "boolean"
    },
    "estimated_switching_cost_eur": {
      "minimum": 0,
      "type": "number"
    },
    "estimated_transition_months": {
      "minimum": 0,
      "type": "integer"
    },
    "provider_id": {
      "minLength": 1,
      "type": "string"
    },
    "substitutability_rating": {
      "enum": [
        "easily_substitutable",
        "substitutable_with_effort",
        "difficult_to_substitute",
        "not_substitutable"
      ],
      "type": "string"
    }
  },
  "required": [
    "provider_id",
    "analysis_date",
    "substitutability_rating",
    "alternative_providers_identified"
  ],
  "type": "object"
}