Cloud Resilience Assessment for DORA
A cloud resilience assessment evaluates the operational and concentration riska financial entity carries from its cloud and other ICT providers under DORA's third-party risk pillar. Cloud is often the largest single source of ICT third-party dependency.
What the assessment reviews
It examines which cloud services support critical or important functions, contractual coverage of access, audit and exit rights, sub-outsourcing chains, and whether over-reliance on one provider or region creates concentration risk. Findings feed the register of information.
Why it matters under DORA
Cloud providers that are designated critical ICT third-party providers fall under a new EU oversight framework, and financial entities remain accountable for managing their exposure, including credible exit strategies.
Frequently asked questions
Does DORA regulate cloud providers directly?
Cloud providers designated as critical ICT third-party providers are subject to direct EU oversight; others are managed through the financial entity's contracts and controls.
What is concentration risk under DORA?
Risk arising from over-reliance on a single ICT provider or a small number of providers. See the glossary definition.
Does DORA require a cloud exit strategy?
Yes. Contracts for critical or important functions must include documented exit strategies and transition arrangements.