DORA Compliance on AWS: A Practical Guide for Financial Institutions

What Is DORA — and What Does It Concretely Require?

The Digital Operational Resilience Act (DORA), EU Regulation 2022/2554, is the first EU-wide unified framework for the digital operational stability of the financial sector. It replaces the previously fragmented national implementations of various EBA guidelines and establishes binding minimum standards for all regulated financial entities.

DORA applies to over 22,000 financial institutions in the EU: credit institutions, insurers, investment firms, payment service providers, crypto-asset service providers, central securities depositories, and more. Critically, the regulation extends to ICT third-party providers: cloud providers like AWS can be designated as Critical Third-Party Providers (CTPPs) and become subject to direct supervisory oversight by the Lead Supervisor (EBA DORA page).

The 5 DORA Pillars at a Glance

Pillar 1: ICT Risk Management on AWS

DORA mandates a comprehensive ICT risk framework with four functions: Protect, Detect, Respond, and Recover. AWS provides a complete service landscape covering each function.

AWS Config

Continuous assessment of resource configurations against compliance rules. Financial institutions can deploy DORA-specific Conformance Packs that automatically detect configuration deviations and aggregate findings in AWS Security Hub. Essential for Art. 9 DORA (protection and prevention).

Amazon GuardDuty

Machine learning–based threat detection analyzing CloudTrail logs, VPC Flow Logs, and DNS logs. GuardDuty Malware Protection and Runtime Monitoring extend protection to EC2 instances and containers. Addresses detection requirements under DORA Art. 10.

AWS Security Hub

Centralized security dashboard aggregating findings from GuardDuty, Config, Inspector, and Macie. Automated workflows via EventBridge enable immediate escalation for high-severity findings — essential for incident detection under DORA Art. 17.

AWS Backup

Centralized backup management with Vault Lock (WORM) for immutable backups. DORA Art. 12 mandates backup policies and recovery tests — AWS Backup Audit Manager documents compliance automatically.

Pillar 2: Incident Management and Reporting Timelines

DORA distinguishes between incidents and major ICT incidents. Major incidents must follow a three-stage reporting path: initial notification within 4 hours (or by end of business day), intermediate report within 72 hours, final report within one month (BaFin on DORA).

The AWS stack for DORA-compliant incident management:

1. Detection: Amazon CloudWatch Alarms and AWS Security Hub identify anomalies. GuardDuty findings are routed via EventBridge to SIEM systems or directly to ticketing tools (PagerDuty, Jira).
2. Classification: AWS Config Conformance Packs can codify severity thresholds for DORA's major-incident classification. Automated Playbooks in AWS Systems Manager Automation perform initial triage steps.
3. Forensics and Evidence Preservation: AWS CloudTrail provides immutable API logs for all resource operations. Amazon Detective visualizes attacker activity across timelines and graphs — critical for post-incident root-cause analyses.
4. Escalation and Reporting: Amazon SNS and AWS Chatbot enable immediate notification of defined incident response teams. Structured logs in Amazon CloudWatch Logs Insights simplify creating the regulatory notification documents.
5. Recovery: AWS Elastic Disaster Recovery (DRS) enables point-in-time recovery of on-premises and cloud workloads with RPO in minutes and RTO in hours. For critical core-banking systems, Multi-Region Active-Active is recommended.

Pillar 3: Digital Resilience Testing

DORA mandates a comprehensive testing program: annual basic tests for all institutions and Threat-Led Penetration Tests (TLPT) every three years for significant financial entities.

AWS provides AWS Fault Injection Service (FIS) — a managed platform for chaos engineering with pre-built actions that simulate instance failures, network latency, API errors, and resource exhaustion in a controlled, reversible manner. The AWS Resilience Hub evaluates applications against RTO/RPO targets and produces a Resilience Score, which serves as the basis for DORA test documentation.

For TLPT tests: AWS permits penetration testing by authorized third parties against a customer's own infrastructure. The AWS Penetration Testing Policy process ensures tests are conducted compliantly. Storm Reply supports both technical execution and the regulatory documentation required by supervisors.

Pillar 4: ICT Third-Party Risk Management and AWS Contracts

This is the most demanding DORA pillar for cloud-using financial institutions. Art. 30 DORA defines minimum contractual clauses for all ICT third-party service contracts:

Financial institutions with AWS Enterprise Support or Enterprise Discount Program (EDP) agreements can negotiate additional contractual adjustments for DORA compliance. Storm Reply assists as an AWS Premier Partner in contract structuring.

Concentration Risk: When AWS Becomes a Systemic Risk Factor

DORA Art. 29 requires financial institutions to assess and manage ICT concentration risk — particularly the dependence on a single cloud provider. Supervisors may require institutions to take remedial measures if this risk is deemed excessive.

Practical mitigation measures on AWS:

• Multi-Region architecture: Distribute critical workloads across at least two AWS regions (e.g., eu-central-1 Frankfurt + eu-west-1 Ireland). AWS Global Accelerator and Route 53 Health Checks enable automatic failover.
• Hybrid architecture: AWS Outposts or AWS Local Zones for data-sovereign, latency-sensitive workloads — combined with on-premises infrastructure for critical core-banking functions.
• Multi-cloud readiness: Containerized applications (Amazon EKS) and open standards (Kubernetes, Terraform) increase portability and reduce vendor lock-in.
• Documented exit plan: DORA mandates exit strategies as part of third-party management. This includes a documented procedure for migrating to alternative providers or repatriating workloads.

AWS Compliance Evidence and Audit Rights

DORA Art. 30 grants financial institutions audit rights over ICT third-party providers. AWS addresses this through a pooled-audit model: rather than individual on-site inspections, AWS makes comprehensive compliance reports available through AWS Artifact, recognized by supervisory authorities:

SOC 2 Type II

Annual report covering security, availability, processing integrity, confidentiality, and privacy. Over 100 AWS services in scope. Relevant for DORA Art. 5 (ICT risk management) and Art. 28 (third-party management).

BSI C5 Type II

German Federal Office for Information Security Cloud Computing Compliance Criteria Catalogue. AWS Frankfurt (eu-central-1) holds BSI C5 Type II attestation — particularly relevant for BaFin-regulated institutions.

ISO 27001 / ISO 22301

ISO 27001 for information security management, ISO 22301 for business continuity management. Both certifications are recognized by supervisory authorities as DORA-relevant evidence.

PCI DSS Level 1

For payment service providers and credit card processing. AWS is certified as a Level 1 Service Provider — the highest PCI DSS compliance level.

Frequently Asked Questions on DORA and AWS

What is DORA and who does it apply to?

The Digital Operational Resilience Act (DORA, EU 2022/2554) has been mandatory since 17 January 2025, applying to all financial entities in the EU: banks, insurers, investment firms, payment service providers, crypto-asset service providers, and critical ICT third-party providers.

Which AWS services are most relevant for DORA compliance?

For ICT risk management: AWS Config, AWS Security Hub, Amazon GuardDuty. For incident management: Amazon CloudWatch, AWS CloudTrail, Amazon Detective. For resilience testing: AWS Fault Injection Service (FIS), AWS Resilience Hub.

Is AWS considered a critical ICT third-party provider under DORA?

AWS may be designated as a Critical Third-Party Provider (CTPP) by EBA/ESMA/EIOPA. Financial institutions must align their contractual arrangements with DORA's CTPP requirements and establish concentration risk management.

How does AWS satisfy DORA Art. 30 audit rights?

AWS provides compliance reports (SOC 2 Type II, BSI C5 Type II, ISO 27001) via AWS Artifact. Supervisory authorities recognize this pooled-audit model, meaning financial institutions do not need to conduct individual on-site audits at AWS.