# Art. 29 — Concentration risk assessment 1. When performing the identification and assessment of risks referred to in [Article 28(4), point (c)](/dora/digital-operational-resilience-act/chapter-v-managing-ict-third-party-risk/article-28-general-principles.md), financial entities shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) would lead to any of the following: 1. contracting an [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) that is not easily substitutable; or 2. having in place multiple contractual arrangements in relation to the provision of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) with the same [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) or with closely connected [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider). Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy. 2. Where the contractual arrangements on the use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) include the possibility that an [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider) further subcontracts [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting a [critical or important function](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) to other [ICT third-party service providers](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider), financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country. Where contractual arrangements concern [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function), financial entities shall duly consider the insolvency law provisions that would apply in the event of the [ICT third-party service provider](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider)'s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity's data. Where contractual arrangements on the use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) are concluded with an [ICT third-party service provider established in a third country](https://www.mica.wtf/definitions/definitions/dora/ict-third-party-service-provider-established-in-a-third-country), financial entities shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country. Where the contractual arrangements on the use of [ICT services](https://www.mica.wtf/definitions/definitions/dora/ict-services) supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-v-managing-ict-third-party-risk/article-29-preliminary-assessment-of-concentration-risk.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.