Dutch Regulators Warn That Digital Dependence Is Becoming a Systemic Risk

Key Takeaways

• Systemic Risk from Tech Concentration: AFM and DNB warn that the financial sector’s growing reliance on a few non-European IT providers creates systemic vulnerabilities that could disrupt large parts of the system if a single vendor fails.
• Geopolitical Exposure: The regulators highlight that digital dependencies could be weaponized through sanctions, cyberattacks, or political leverage amid rising global tensions.
• Short-Term Resilience Measures: Institutions are urged to prepare for disruptive scenarios through collaboration, intelligence sharing, chain testing, and control of encryption keys to protect data sovereignty.
• Long-Term European Strategy: AFM and DNB call for coordinated European action to build robust, sovereign technology alternatives and strengthen digital autonomy.
• Oversight Under DORA: The Digital Operational Resilience Act provides new oversight of critical IT vendors, but the regulators say further European coordination, and possibly a cross-sector cloud regulator, will be needed.

Deep Dive

The Dutch Authority for the Financial Markets (AFM) and De Nederlandsche Bank (DNB) are warning that the Netherlands’ financial system is becoming increasingly fragile, not because of balance sheets or liquidity, but because of its digital backbone.

In a joint report published recently, the two regulators cautioned that the financial sector’s growing reliance on a handful of non-European technology providers has become a source of systemic risk. Banks, insurers, and asset managers are outsourcing more of their critical operations, from cloud infrastructure to AI models, to a small group of global vendors. The problem, as AFM and DNB describe it, is that “a failure at a single provider could affect large parts of the financial sector simultaneously.”

A Fragile Digital Foundation

What began as a quest for efficiency and innovation has, over time, created a concentration risk that extends far beyond IT. The Dutch financial system’s digital infrastructure (its customer interactions, transaction processing, compliance, and risk management functions) is now largely run by a few major cloud and software providers based outside Europe.

“Without European digital alternatives, the sector remains exposed to geopolitical risks,” said Steven Maijoor, Chair of Supervision at DNB.

AFM Chair Laura van Geest echoed that warning,“Digital dependence makes our financial sector vulnerable. We can only enhance resilience sustainably through European cooperation and greater strategic autonomy.”

The report notes that while institutions have adopted continuity plans and “multi-vendor” strategies, vendor lock-in remains difficult and costly to avoid. A growing number of firms now use “sovereign cloud” offerings, where data and operations are subject to European laws, but the regulators cautioned that even these may not fully insulate institutions from foreign influence.

Geopolitics Meets Infrastructure

In a world of shifting alliances and rising digital tensions, the AFM and DNB warn that dependence on non-European providers isn’t just a technical vulnerability, it’s a geopolitical one.

The report outlines scenarios that go beyond traditional cyber risk: sanctions cutting off key digital services, or a hybrid attack that combines cyber intrusion with disruption of cloud infrastructure. In each case, a chain reaction could unfold across multiple institutions, disrupting payments, trading, and even access to basic financial services.

Recent geopolitical developments, the report says, have only “intensified the urgency” of addressing these dependencies. What’s at stake isn’t just operational resilience, it’s digital sovereignty.

Preparing for Disruption

For now, the regulators acknowledge that deep digital dependence can’t be reversed overnight. But they urge institutions to plan for disruption rather than stability. The report calls on firms to collaborate across the ecosystem, to share intelligence, run joint “chain tests” that simulate supply-chain attacks, and make clear how their vendor decisions support data security and sovereignty.

Institutions are also encouraged to retain control of their encryption keys and design IT architectures flexible enough to avoid single points of failure.

The short-term message is pragmatic: prepare for the worst-case scenario, because resilience begins with realism.

A European Challenge

The long-term solution, AFM and DNB argue, lies in European coordination. Reducing dependence on non-EU technology will require building credible European alternatives and ensuring access to financing for the continent’s emerging tech players.

The regulators cite the Digital Operational Resilience Act (DORA) as a step forward, providing greater oversight of critical IT vendors and a pan-European Register of Information to map third-party dependencies. But they also see gaps and call for more cooperation between supervisors, possibly even a cross-sector European cloud regulator empowered to enforce “truly sovereign” cloud standards.

“Digitalization is indispensable,” the report concludes, “but new risks have emerged around continuity, cybersecurity, and even sovereignty. Safeguarding a stable, fair, and resilient financial system requires making those dependencies visible and controllable—and ultimately reducing them.”

The warning from the Netherlands comes as Europe grapples with its broader digital autonomy challenge. As global hyperscalers dominate the technology stack underpinning critical infrastructure, from finance to energy, the debate is no longer about efficiency or cost. It’s about control.

For financial institutions, that means resilience planning now has to stretch beyond cyber incidents and operational disruptions to include strategic dependence—who runs the servers, who owns the code, and where the data truly lives.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.