Introducing the AWS User Guide to the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a pan-European legislative framework on operational resilience and cyber resilience. DORA outlines improvements in information and communications technology (ICT) and security risk-management requirements, a harmonization regime for ICT incident reporting, development of a digital operational resilience testing framework, and an oversight framework for critical ICT third-party providers. DORA does not set any restrictions or limitations on financial entities (FEs) subject to DORA requirements for their adoption and use of cloud services.

DORA sets uniform requirements for FEs to achieve a high common level of digital operational resilience. It covers requirements related to ICT risk management, reporting of major ICT-related incidents and cyber threats, digital operational resilience testing, information sharing on cyber threats and vulnerabilities, and measures for managing ICT third-party risk. The regulation promotes a principles-based approach to ICT risk management, giving FEs the flexibility to use different management models as long as they address key functions such as identification, protection, detection, response, recovery, and communications. DORA requires FEs to maintain updated and resilient ICT systems that can handle stressed market conditions and adverse situations, and mandates efficient business continuity and recovery plans to limit damage and ensure prompt resumption of activities after ICT-related incidents.

In previous blogs in April 2024 and October 2023, we briefed customers that AWS has actively participated in the consultations on DORA’s technical standards, providing insights and feedback to support the development of a robust and effective regulatory framework.

Today, we are excited to announce the launch of the AWS User Guide to the Digital Operational Resilience Act (DORA).

This guide describes the roles that AWS and its customers play in managing operational resilience in and on AWS, describes the AWS Shared Responsibility Model, compliance frameworks, AWS services, and features, and measures that customers use to evaluate their compliance with sample DORA requirements when adopting AWS.

Who should use the guide?

The AWS User Guide to DORA is a comprehensive resource tailored to meet the needs of various stakeholders within financial services organizations. Technical decision-makers, such as IT leaders, architects, and engineers responsible for designing, implementing, and managing cloud infrastructure and services, will find the guide invaluable in understanding how AWS services support DORA compliance. Risk and compliance professionals tasked with ensuring regulatory adherence, managing risk, and overseeing governance processes can leverage the guide to align their organization’s cloud initiatives with DORA requirements.

How to use the guide:

Start by understanding the key requirements placed on your organization by DORA, including regarding ICT risk management, managing ICT third-party risk, and developing an operational resilience strategy.

Deep-dive into our series of considerations on how financial entities seeking to meet the regulatory expectations set by DORA can use AWS services and documentation to help show their compliance. These considerations include using AWS services, such as AWS Audit Manager, AWS Security Hub, AWS Resilience Hub, AWS Config, and AWS Trusted Advisor to facilitate operational risk management activities. The section ‘Alignment to DORA for Cloud Services’ provides further details on these subjects. The guide highlights key AWS Compliance programs and the importance of AWS Artifact service that provides FEs on-demand access to select security reports, compliance reports, and agreements with AWS, and enables customers to manage ICT third-party risk.

Further, we recommend you read through AWS approach to Operational Resilience in the Financial Sector & Beyond as you build out your Operational Resilience Framework and Strategy. The section ‘Operational Resilience and the Shared Responsibility Model’ summarizes the AWS Shared Responsibility Model for operational resilience and further guidance is available in subsequent sections.

Lastly, the guide recommends FEs leverage the AWS Cloud Adoption Framework (AWS CAF) to inform the design and operation of their governance and control frameworks. The AWS CAF applies AWS experience and best practices to help FEs digitally transform and accelerate business outcomes through innovative use of AWS. AWS CAF identifies specific organizational capabilities that underpin successful cloud transformations. These capabilities provide best practice guidance that help FEs improve cloud readiness. AWS CAF groups its capabilities in six perspectives: Business, People, Governance, Platform, Security, and Operations.

Next steps

Explore the AWS User Guide to the Digital Operational Resilience Act (DORA) and discover how AWS can support your organization’s compliance journey. If you have questions or need further assistance, please reach out to our FSI Security & Compliance team at aws-fsi-compliance@amazon.com or your AWS Account team.