Entangled in tech: financial institutions and their digital dependence

What do we mean by digital dependence – and why is it such a relevant issue today?

 
Melanie: 'Today’s financial sector runs almost entirely on digital infrastructure. From customer service to risk management, institutions rely heavily on external IT providers – think cloud platforms or developers of AI models.

This dependence has grown rapidly in recent years. Because IT services are complex, many institutions find it more efficient and cost-effective to outsource them rather than develop them in-house. But most of these services are provided by the same small group of providers.

So if one of these major suppliers experiences a failure or disruption, the impact can ripple across the entire financial sector.'

Hans: 'What makes this issue even more urgent is the current geopolitical climate. Most major tech companies are non-European, which increases the vulnerability of institutions that rely on them.

It’s not hard to imagine a scenario where a foreign government uses that dependence as leverage. For example, a political leader could instruct a major tech company in their country to cut ties with a European bank over a policy disagreement. That kind of pressure could have serious consequences.'

Are there other risks that come with this high level of dependence?

 
Hans: 'Yes, beyond geopolitical risks, there are financial concerns as well. Relying too heavily on a single IT provider can make it difficult to switch later.

As systems become more intertwined, transitioning to another supplier becomes technically complex. This is what we call ‘vendor lock-in’ – a situation where the supplier holds a strong position and can, for example, raise prices with little pushback.'

Melanie: 'And it’s not just the main suppliers we need to consider. Many IT service providers rely on subcontractors – and those subcontractors may have subcontractors of their own. This creates a layered ecosystem that’s hard to fully monitor. If something goes wrong – like a cyber incident or service failure – the impact can be much broader than expected.'

How does digital dependence affect everyday consumers like me?

 
Melanie: 'It’s not always visible, but digital dependence in the financial sector can have a direct impact on you and me. Take your banking app, for example. If a major IT provider experiences an outage, you might suddenly find yourself unable to access your account or make payments.'

Hans: 'And it’s not just about access. Digital dependence also affects how your personal data is handled. If foreign authorities have influence over the companies storing that data, there’s a risk it could be misused. As consumers, we should be able to trust that our data is secure – and that banks and insurers maintain control over who can access it.'

How are financial institutions and IT suppliers responding to these risks?

 
Melanie: 'This issue is very much on the radar, and institutions are aware of the risks. We recently visited an organisation that asked itself a simple but telling question: if our IT supplier went down, could we – figuratively speaking – even get into our office?

This sense of urgency is prompting action. Institutions are developing detailed exit strategies and continuity plans to ensure they can recover quickly in a crisis. They’re also working to map out their dependencies as precisely as possible.

One technical solution gaining traction is ‘containerisation’ – a way of packaging data and applications so they can be easily moved from one provider to another. Think of it as a virtual moving box.'

Hans: 'IT suppliers are responding too. Large cloud providers are increasingly offering ‘sovereign cloud’ solutions, where data and operations fall under European laws – keeping them out of reach of, say, the US authorities. Institutions are also being given the option to encrypt their customer and proprietary data using their own encryption keys.

These are welcome developments, but as long as institutions rely on a small group of non-European providers, the risks remain. And whether these solutions will truly reduce dependence in the long run is still an open question.'

What can be done in the short term, and what’s needed for the long run?

 
Hans: 'In the short term, it’s crucial for institutions to prepare for disruptive scenarios – such as sanctions or hybrid cyber attacks. This means working together to develop threat scenarios, share information, and conduct chain tests. At the AFM and DNB, we actively support and facilitate this kind of cooperation.'

Melanie: ‘Institutions also need to be able to clearly explain and justify how their decisions support data sovereignty and security. Using open software standards, containerisation, and working with multiple vendors can help reduce dependence – though these solutions aren’t always simple or cheap.

While these steps help in the short term, the long-term solution lies in building strategic autonomy. To achieve that, we need a strong European tech sector. Right now, Europe is lagging behind. Closing that gap will require investment, innovation, and coordinated action at the European level. Only then can we reduce our dependence on non-European providers and strengthen our digital resilience.'

Hans: 'The report also highlights the need to tackle the structural causes of digital dependence. That includes improving the pan-European investment climate and removing regulatory barriers. We also need to further develop European alternatives in cloud services and AI. Financial institutions can play a key role here by joining forces to create the scale needed to give these alternatives a real chance.

What role does the new European digital resilience law, DORA, play in this context?

Hans: 'DORA is an important step forward. It requires financial institutions to manage their dependence on IT suppliers more carefully: by selecting providers with due diligence, conducting risk analyses, and monitoring service levels.

It also sets requirements for contracts, exit strategies, and continuity planning. It also introduces European oversight for critical IT suppliers. But regulation alone isn’t enough. Some vulnerabilities remain – especially around concentration risks and geopolitical tensions.'

Melanie: 'That’s why closer collaboration between supervisory authorities is so important. We also want to encourage European policymakers to consider establishing a dedicated European cloud regulator. Only by working together across borders can we truly strengthen the digital autonomy of the financial sector.'

Finally, what message would you like to leave with the financial sector?

 
Melanie: 'Stay alert, work together and invest in resilience. Digital dependence is a complex, cross-border issue, and tackling it requires joint solutions.

Hans: 'And don’t just focus on the short term. Only by investing in innovation and European cooperation now can we make the financial sector more resilient and less vulnerable in the future.