DORA in 2026: Why Cloud Resilience Will Define Financial Services Compliance

Predictions for EU's Digital Operational Resilience Act (DORA)

As we look ahead to 2026, the European Union's Digital Operational Resilience Act (DORA) will fundamentally reshape how financial services firms think about operational risk. The core message is straightforward: DORA transforms cloud outages from third-party problems into your problems.

It is no longer enough to secure your own perimeter. Financial institutions are now operationally responsible for the resilience of their critical vendors from cloud infrastructure providers like AWS and Azure to platform dependencies such as BlackRock Aladdin. If your cloud provider experiences an outage, your firm faces potential regulatory consequences unless you can demonstrate a credible contingency plan.

2025 was a wake-up call: The year of major cloud outages

The case for urgent action is written in the incident logs of 2025. This year, the "Big Three" cloud providers (Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure) each suffered at least one massive, global-scale outage that disrupted major swaths of the internet, alongside dozens of smaller regional incidents. For financial services firms operating under DORA, these events serve as a stark reminder of systemic concentration risk.

Google Cloud Platform: June 12, 2025

Google Cloud experienced a catastrophic global outage caused by a software bug, specifically a "null pointer exception", in Google's Service Control system. This broke authentication globally, meaning services could not verify user identities, effectively locking everyone out. Industry reports noted that GCP experienced 78 incidents by mid-year, though most were minor and regional.

Impact: Spotify, Snapchat, Fitbit, OpenAI (ChatGPT), and Rocket League experienced direct outages. Critically, Cloudflare, which relies on GCP infrastructure, also went down, creating a cascading failure that took out Discord, Twitch, and thousands of other websites.

Amazon Web Services: October 20, 2025

August 2025 also noted approximately 38 smaller incidents, averaging 1.5 hours each.

Impact: The outage affected a sweeping range of financial and retail services including Coinbase, Robinhood, PayPal, Venmo, Lloyds Bank, and Halifax Bank. Consumer platforms including Snapchat, Reddit, Slack, Discord, Zoom, and Uber were also disrupted.

Microsoft Azure: October 29 and December 8, 2025

Azure experienced two significant outages in the latter half of 2025. On October 29, a global failure of Azure Front Door (their content delivery network) impacted Microsoft 365 services including Teams and Outlook, as well as Xbox, Minecraft, and enterprise customers like Alaska Airlines. More recently, on December 8, a configuration issue specifically affected Azure Government regions, disrupting U.S. government portals and services.

While Azure reported fewer incidents than Google or AWS by mid-year (approximately nine significant ones), their outages tended to last longer on average, a critical consideration for service-level agreements.

Outages snapshot

What this means under  DORA

DORA explicitly extends operational resilience requirements to critical third-party providers. When Lloyds Bank and Halifax were affected by the October AWS outage, the disruption was not treated as an external event beyond their control. Under DORA, firms bear responsibility for ensuring continuity regardless of where the failure originates.

This raises an obvious question: if a major cloud provider goes down, many firms go down simultaneously. Surely regulators cannot fine everyone?

The short answer is that regulators are not naive about cloud concentration. They know the industry cannot have everyone running fully redundant dual-cloud environments. That would be prohibitively expensive and operationally brutal. But this is precisely why regulators are signalling expectations now, before the next catastrophic outage.

They are creating a paper trail. When the next major outage occurs, regulators will be positioned to distinguish between firms that prepared and firms that did not. The unprepared ones face enforcement action; the prepared ones demonstrate that compliance was achievable.

A firm that experiences a 15-hour outage but has documented testing of a fallback plan will face significantly less regulatory heat than one with no contingency at all. That is the real calculation DORA introduces.

Regulators won't fine everyone, just the unprepared

There is an unmistakable pattern where systemic failures at major cloud providers are not rare exceptions but predictable events. For financial services firms operating under DORA, this creates an urgent compliance and operational challenge.

The regulator's actual leverage:

Yes, if a major cloud provider goes down, many firms go down simultaneously, the regulator can't fine everyone. But that's precisely why regulators are signaling this now, before the next catastrophic outage. They're creating a paper trail of expectations so that when (not if) it happens:

1. They can identify which firms planned for it and which didn't, then fine the unprepared ones
2. They can use the incident to justify stricter rules going forward (mandatory geographic distribution, mandatory secondary cloud vendor, mandatory on-premise fallback for critical functions)
3. They preserve grounds for enforcement against the worst-prepared firms while the sector collectively absorbs the shock.

The real issue DORA is addressing:

The regulator isn't naive about cloud concentration, they know you can't have everyone on dual clouds. What they're preventing is firms getting caught flat-footed with zero contingency plans. A firm that experiences a 15-hour outage and has documented testing of a fallback plan faces less regulatory heat than one that has nothing.

What DORA Demands Now

DORA does not require redundancy across all services. But it does require demonstrable resilience for critical functions. The practical requirements break down into four areas.

Tested Failover for Critical Functions

Not necessarily instant failover, but a tested ability to restore critical functions — even if recovery takes hours rather than minutes. The question regulators will ask is not whether you have a backup plan, but whether you have tested it under realistic conditions.

Data Portability

Demonstrable evidence that your firm is not locked into a single provider. This means understanding where your data sits, how it could be migrated, and what the realistic timeline for that migration would be.

Partial Redundancy for Survival-Critical Services

Not everything needs to be multi-cloud — just the functions that are essential for business continuity. Firms need to identify which services fall into this category and ensure those have genuine alternatives.

Manual Processes or Lightweight Backups

For functions that cannot justify full redundancy, firms need fallback procedures that can sustain operations for 15 or more hours while primary services are restored. Sometimes the answer is a documented manual process that keeps the business running, not another cloud.

The Bottom Line

The events of 2025 have given financial services firms a preview of the operational resilience challenges DORA is designed to address. Cloud provider outages are realities that have already impacted banks, payment providers, and trading platforms.

The firms that treat DORA as an opportunity to strengthen their operational foundations will be better positioned than those that view it merely as a compliance burden. When the next major outage occurs, regulators will distinguish between firms that were prepared and those that were not.

The question for every financial services leader is straightforward: when your cloud provider's problem becomes your problem, what will you be able to show the regulator?

References

• AWS October 2025 Outage: US-EAST-1 region failure affecting DynamoDB and dependent services for 15+ hours.
• Google Cloud June 2025 Outage: Service Control system failure causing global authentication lockout.
• Azure October/December 2025 Outages: Azure Front Door failure (October 29) and Azure Government configuration issue (December 8).
• Industry Analysis: Study covering January–August 2025 documented 38 AWS incidents (avg. 1.5 hours each) and 78 GCP incidents.