The increasing reliance on cloud services and outsourced ICT providers creates significant compliance challenges under DORA. The regulation introduces strict requirements for managing these relationships.

DORA and Cloud Services

What DORA Says About Cloud

DORA doesn't prohibit cloud services but imposes specific requirements:

  • Financial institutions retain ultimate responsibility
  • Cloud service agreements must include DORA-specific clauses
  • Right to audit cloud providers must be contractually guaranteed
  • Exit procedures must be documented and tested
  • Data residency and location must be specified

Critical vs. Important ICT Services

Critical ICT Third-Party Service Providers

Identified by competent authorities as critical if failure would:

  • Breach legal obligations
  • Prevent essential functions
  • Threaten financial stability
  • Affect market integrity

Examples: Major cloud providers, essential payment processors, core banking platform vendors

Important ICT Third-Party Providers

Not deemed critical but still important for operations:

  • Secondary cloud services
  • Application vendors
  • Support and maintenance providers
  • Specialized service providers

Requirements for Critical Cloud Providers

Direct Supervision

Critical third-party ICT service providers face:

  • Direct Authorization: ECB/competent authority approval may be required
  • Direct Supervision: Regular compliance examinations
  • Direct Sanctions: Authority can impose fines directly
  • Audit Rights: On-site and remote examinations

Resilience Requirements for Critical Providers

  • Business continuity and disaster recovery plans
  • Threat-led penetration testing
  • Incident reporting to authorities
  • Risk management frameworks
  • Data security and integrity controls

Contractual Requirements

Critical cloud provider contracts must include:

  • Performance Standards:
    • Service level agreements (SLAs)
    • Recovery time objective (RTO)
    • Recovery point objective (RPO)
    • Availability guarantees
  • Data Protection:
    • GDPR compliance commitment
    • Data residency requirements
    • Encryption standards
    • Data deletion procedures
  • Audit and Monitoring:
    • Unannounced audit rights
    • Access to monitoring data
    • Third-party audit reports
    • Incident notifications
  • Exit Procedures:
    • Data migration assistance
    • Transition support timeline
    • Data destruction procedures
    • Escrow arrangements

Requirements for Important Cloud Providers

Contractual Arrangements

Less stringent than critical providers but still require:

  • Clear service level descriptions
  • Security and data protection terms
  • Incident reporting obligations
  • Right to audit (with reasonable notice)
  • Exit procedures

Risk Assessment

  • Identify critical dependencies
  • Assess concentration risk
  • Evaluate financial stability of provider
  • Assess technical capabilities

Ongoing Monitoring

  • Regular performance reviews
  • Incident tracking
  • Compliance verification
  • Financial health monitoring

Practical Implementation Steps

Step 1: Cloud Inventory (Weeks 1-4)

  • Document all cloud services in use
  • Classify as critical or important
  • Map data flows and dependencies
  • Identify concentration risks

Step 2: Contract Review (Weeks 5-8)

  • Audit existing agreements
  • Identify DORA gaps
  • Negotiate required changes
  • Document all agreements

Step 3: Risk Assessment (Weeks 9-12)

  • Evaluate provider financial health
  • Assess security capabilities
  • Test exit procedures
  • Document risk mitigation

Step 4: Continuous Monitoring (Ongoing)

  • Monthly performance reports
  • Quarterly compliance reviews
  • Annual audit rights exercise
  • Incident tracking

Key Cloud Providers and DORA Compliance

Major Cloud Providers (Likely Critical)

  • AWS: DORA-aware, offering compliance documentation
  • Microsoft Azure: DORA compliance program
  • Google Cloud: Financial services compliance
  • IBM Cloud: Enterprise compliance offerings

Due Diligence Questions

  • Do you have a DORA compliance program?
  • Are you willing to include DORA-specific clauses in contracts?
  • What audit rights do you provide?
  • Where is data physically stored (data residency)?
  • What SLAs do you offer?
  • How do you handle incident reporting?
  • What exit and transition support do you provide?

Multi-Cloud and Hybrid Strategies

Risks of Multi-Cloud

  • Concentration Risk: Over-reliance on single provider
  • Vendor Lock-in: Difficulty switching providers
  • Compliance Complexity: Managing multiple standards
  • Data Fragmentation: Difficulty monitoring data across providers

Multi-Cloud Benefits

  • Resilience: Reduced dependency on single provider
  • Negotiating Power: Leverage with multiple vendors
  • Flexibility: Best-of-breed services from different providers
  • Risk Distribution: Spread failure risk across providers

Common Challenges and Solutions

Challenge: Cloud Provider Non-Compliance

Solution: Include compliance requirements in contract renewals, conduct regular audits, escalate to provider management

Challenge: Outdated Contracts

Solution: Systematic contract review and modernization program

Challenge: Data Residency Issues

Solution: Specify EU data residency requirements in contracts

Challenge: Exit Procedures

Solution: Test exit procedures annually, document runbooks, maintain alternate infrastructure