“What happens if we have to leave this hyperscaler?” Under DORA, that is no longer a hypothetical. For ICT services supporting critical or important functions, entities must have a documented — and credible — exit strategy, plus a clear view of concentration risk. A right-to-exit clause that no one could actually execute is exactly what supervisors probe.
What DORA expects
Article 28 requires entities to assess concentration risk and ensure they can exit a provider without undue disruption. Article 30 requires the contract to include exit and transition provisions for critical-function arrangements. The combination means: know your exposure, and be able to move.
Concentration risk: see it first
- Provider concentration — how much of your critical estate sits with one hyperscaler.
- Hidden concentration — several “independent” SaaS vendors that all run on the same underlying cloud or region.
- Geographic concentration — critical workloads in a single region or jurisdiction.
You cannot manage what you cannot see — this is where the Register of Information earns its keep, by making the provider-and-function map explicit.
An exit strategy that actually works
- Avoid one-way doors. Favour portable patterns — standard data formats, containerised workloads, abstracted cloud services — so leaving is an engineering task, not a rebuild.
- Document the transition. Where data goes, how it is migrated, who does what, and the timeline.
- Test it. At least a desktop exercise — ideally a partial technical rehearsal — for your most critical provider. An untested exit is not credible.
- Negotiate exit support. Bake transition assistance and data-return obligations into the contract.
Go deeper
The Third-Party Risk Management Expert and Contract Manager certifications cover concentration analysis, exit strategies and the Article 30 clauses that make them enforceable. See the full DORA certification catalogue.
