The financial sector faces a growing risk due to its increasing dependence on a small number of non-European IT suppliers. So say the Netherlands Authority for the Financial Markets (AFM) and De Nederlandsche Bank (DNB) in a joint report published today. The regulators warn that this dependence can lead to concentration and systemic risks, with disruptions at one supplier affecting large parts of the sector. With this report, the AFM and DNB want to encourage financial institutions to further strengthen their digital resilience and stress the importance of working towards European digital autonomy in the long run.
The financial sector is increasingly dependent on non-European IT service providers to perform critical processes. More and more institutions are outsourcing (parts of) their IT to external suppliers, including cloud service providers, software providers and suppliers of AI models. Recent geopolitical developments make the risks of this digital dependency more urgent, regulators say.
Because institutions tend to use the same providers and infrastructures, concentration and system risks have emerged. Failures and cyber incidents at IT service providers can therefore affect multiple institutions simultaneously. The stability of the financial system thus becomes partly dependent on the robustness of these external providers.
In the current bleak geopolitical climate, there is a risk that state actors could misuse this reliance on digital services as a political lever or tool in a trade conflict. Consider, for example, a situation where essential IT services are suddenly shut down due to sanctions, or a hybrid attack where cyber attacks and physical damage to infrastructure lead to the disruption of critical and vital processes. While the report shows that financial institutions are aware of these risks, further action is needed.
Steven Maijoor, chairman of supervision at DNB: "Without European digital alternatives, the sector remains vulnerable to geopolitical tensions."
Laura van Geest, AFM Board Chair: "Digital dependence makes our financial sector vulnerable. Only through European cooperation and greater strategic autonomy can we sustainably strengthen resilience."
Digital dependency is a complex issue that cannot be solved in the short term. The AFM and DNB therefore call on institutions to actively prepare for disruptive scenarios. Here, institutions can cooperate with IT suppliers, authorities and other institutions to develop threat scenarios, exchange information about concrete threats and attacks and perform chain tests. It is also important that institutions can explain the choices they have made to ensure that their data is sovereign and secure.
Reducing digital dependence is a task that transcends individual institutions and sectors and requires broad European solutions. In the longer term, it is therefore important to reduce financial institutions' dependence on non-European IT providers and develop fully-fledged European alternatives. To this end, it is important to work towards a stronger innovation and investment climate for European tech companies.
