Skip to main content
DORA Auditor

Cloud Resilience Assessment for DORA

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

A cloud resilience assessment evaluates the operational and concentration riska financial entity carries from its cloud and other ICT providers under DORA's third-party risk pillar. Cloud is often the largest single source of ICT third-party dependency.

What the assessment reviews

It examines which cloud services support critical or important functions, contractual coverage of access, audit and exit rights, sub-outsourcing chains, and whether over-reliance on one provider or region creates concentration risk. Findings feed the register of information.

Why it matters under DORA

Cloud providers that are designated critical ICT third-party providers fall under a new EU oversight framework, and financial entities remain accountable for managing their exposure, including credible exit strategies.

Frequently asked questions

Does DORA regulate cloud providers directly?
What is concentration risk under DORA?
Does DORA require a cloud exit strategy?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. European Banking Authority, DORA