DORA — the Digital Operational Resilience Act — has applied directly to EU financial institutions since January 2025. But the five core pillars of DORA — ICT Risk Management, Incident Management, Resilience Testing, Third-Party Risk and Information Sharing — describe what every critical digital infrastructure should deliver. This article shows how DORA principles transfer to AWS architectures in other sectors and which services play the central role.
What Is DORA — and Why It Matters Beyond Finance
The Digital Operational Resilience Act (DORA, EU Regulation 2022/2554) has applied directly in all EU member states since 17 January 2025. Unlike NIS2, DORA is a regulation — it does not need national transposition and applies directly.
DORA formally applies to over 22,000 financial entities and their critical ICT third-party providers. But its influence reaches much further: any ICT provider supplying financial institutions must be DORA-compatible. And the resilience principles DORA describes are industry-agnostic — from energy to healthcare to public administration.
The Five DORA Pillars Mapped to AWS
| DORA Pillar | Core Requirement | AWS Services |
|---|---|---|
| 1. ICT Risk Management | Comprehensive risk management framework, risk appetite definition, asset inventory | AWS Config, AWS Security Hub, AWS Systems Manager Inventory |
| 2. Incident Management | Classification, reporting and post-incident review of major ICT incidents to supervisors | Amazon GuardDuty, AWS CloudTrail, Amazon SNS, AWS Incident Manager |
| 3. Resilience Testing | Annual tests, TLPT every 3 years for systemically important institutions | AWS Fault Injection Service, AWS Resilience Hub, AWS Security Hub |
| 4. Third-Party Risk Management | Contract requirements for ICT third-party providers, exit strategies, concentration risk monitoring | AWS Artifact, AWS Organizations, Service Control Policies |
| 5. Information Sharing | Voluntary threat intelligence exchanges with industry peers | Amazon Security Lake, AWS Security Hub (Custom Integrations) |
Pillar 1: ICT Risk Management — the Foundation
DORA requires a complete ICT risk management framework with defined risk appetites, asset inventory, protection measures and continuous monitoring.
- Asset inventory with AWS Config and Systems Manager
- AWS Config captures all resources (EC2, S3, RDS, Lambda etc.) and their configuration history. AWS Systems Manager Inventory adds installed software, patch status and OS information. Together they create a complete, always-current asset register — the prerequisite for any risk management framework.
- Continuous compliance monitoring
- AWS Config Rules automatically check whether resources meet defined requirements (e.g. encryption enabled, MFA enforced, no publicly accessible S3 buckets). Deviations trigger automatic alerts. AWS Security Hub aggregates these findings alongside GuardDuty threats and Inspector vulnerabilities in a prioritised dashboard.
- Risk appetite in Service Control Policies
- AWS Organizations Service Control Policies (SCPs) translate organisational risk appetite into technical guardrails: preventing specific services in specific regions, enforcing tagging standards, blocking public access. SCPs even govern root user actions — a requirement DORA explicitly names for privileged access.
Pillar 3: Resilience Testing — from Paper to Practice
The AWS Fault Injection Service (FIS) is the tool for chaos engineering on AWS. DORA requires annual resilience tests — FIS enables controlled experiments that simulate real failures:
- Simulate AZ failure: FIS can selectively terminate EC2 instances or RDS nodes in an Availability Zone — validating whether the system automatically fails over to remaining AZs.
- Inject API latency: Simulate network latencies and packet loss for specific services to test timeouts, retry logic and circuit breakers.
- Database failure: Fail over RDS instances, simulate DynamoDB throttling — validate whether applications degrade gracefully.
- Validate rollback: After each FIS experiment, automatically verify that the system returns to normal state — automation via Step Functions.
AWS Resilience Hub complements FIS: it evaluates application architectures against defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets, identifies gaps and proposes concrete improvements.
Pillar 4: Third-Party Risk — Cloud Providers in the DORA Spotlight
DORA contains the first EU-wide binding requirements for ICT third-party providers to financial institutions. Systemically important cloud providers (AWS, Azure, Google Cloud) can be directly supervised by European supervisory authorities.
- AWS Artifact
- Central portal for AWS compliance reports: ISO 27001, SOC 1/2/3, BSI C5 Type II, PCI DSS — all available for download. These reports are directly usable for DORA audits and supervisory discussions.
- DORA contractual clauses
- AWS offers specific contract supplements for DORA requirements: audit rights, sub-processor transparency, operational continuity, exit support. These are agreed through the standard contract process.
- Concentration risk
- DORA requires financial institutions to monitor concentration risks with individual ICT providers. AWS supports multi-region and multi-AZ architectures that reduce dependencies. For genuine provider diversification there are AWS Outposts and hybrid architectures.
Adapting DORA Principles for Other Sectors
| Sector | Regulatory framework | DORA principle directly transferable |
|---|---|---|
| Energy | NIS2, KRITIS | Resilience Testing (FIS), ICT Risk Management (Config + Security Hub) |
| Healthcare | NIS2, GDPR | Incident Management (GuardDuty + Incident Manager), Third-Party Risk (Artifact) |
| Public administration | BSI IT-Grundschutz, NIS2 | Asset inventory (Config + Systems Manager), Resilience Testing (FIS) |
| Telecommunications | NIS2, TKG | All five DORA pillars — telecommunications is KRITIS-relevant |
| Mechanical engineering (OT) | NIS2, IEC 62443 | Third-Party Risk (Supply Chain Security), ICT Risk Management |
Frequently Asked Questions About DORA
- Who does DORA apply to?
- DORA has applied directly since January 2025 to EU financial institutions — banks, insurers, payment service providers, asset managers and their critical ICT providers. The principles are increasingly being adopted as best practice across other regulated sectors.
- What is a TLPT under DORA?
- TLPT (Threat-Led Penetration Testing) is a mandated penetration test using real attack techniques (red teaming). It must be conducted by accredited testers and targets systemically important financial institutions. The TIBER-EU framework of the ESCB defines the methodology.
- How does AWS help with DORA resilience testing?
- AWS Fault Injection Service (FIS) enables controlled chaos engineering experiments — simulating service failures, network latencies and AZ failures. AWS Resilience Hub evaluates applications against RTO/RPO targets and identifies gaps.
- Must my cloud provider be DORA-compliant?
- If you are a financial institution using a cloud provider, that provider must meet DORA contractual requirements. AWS offers corresponding contract supplements and provides compliance reports (ISO, SOC, BSI C5) through AWS Artifact.
Storm Reply: Resilience Architectures on AWS
Storm Reply — AWS Premier Consulting Partner in the DACH market — supports financial institutions and other regulated industries in building DORA-aligned architectures. With the AWS Cloud Operations Competency and MSP certification, Storm Reply delivers resilience architecture and continuous compliance monitoring. Storm Reply — AWS Premier Consulting Partner DACH — accompanies the entire process from AWS Well-Architected Reviews to chaos engineering workshops and full DORA-compliant ICT risk management.
Build operational resilience?
Storm Reply develops DORA-aligned cloud architectures for your organisation — regardless of industry.
Get in touch