As we look ahead to 2026, the European Union's Digital Operational Resilience Act (DORA) will fundamentally reshape how financial services firms think about operational risk. The core message is straightforward: DORA transforms cloud outages from third-party problems into your problems.
It is no longer enough to secure your own perimeter. Financial institutions are now operationally responsible for the resilience of their critical vendors from cloud infrastructure providers like AWS and Azure to platform dependencies such as BlackRock Aladdin. If your cloud provider experiences an outage, your firm faces potential regulatory consequences unless you can demonstrate a credible contingency plan.
The case for urgent action is written in the incident logs of 2025. This year, the "Big Three" cloud providers (Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure) each suffered at least one massive, global-scale outage that disrupted major swaths of the internet, alongside dozens of smaller regional incidents. For financial services firms operating under DORA, these events serve as a stark reminder of systemic concentration risk.
Google Cloud experienced a catastrophic global outage caused by a software bug, specifically a "null pointer exception", in Google's Service Control system. This broke authentication globally, meaning services could not verify user identities, effectively locking everyone out. Industry reports noted that GCP experienced 78 incidents by mid-year, though most were minor and regional.
Impact: Spotify, Snapchat, Fitbit, OpenAI (ChatGPT), and Rocket League experienced direct outages. Critically, Cloudflare, which relies on GCP infrastructure, also went down, creating a cascading failure that took out Discord, Twitch, and thousands of other websites.
August 2025 also noted approximately 38 smaller incidents, averaging 1.5 hours each.
Impact: The outage affected a sweeping range of financial and retail services including Coinbase, Robinhood, PayPal, Venmo, Lloyds Bank, and Halifax Bank. Consumer platforms including Snapchat, Reddit, Slack, Discord, Zoom, and Uber were also disrupted.
Azure experienced two significant outages in the latter half of 2025. On October 29, a global failure of Azure Front Door (their content delivery network) impacted Microsoft 365 services including Teams and Outlook, as well as Xbox, Minecraft, and enterprise customers like Alaska Airlines. More recently, on December 8, a configuration issue specifically affected Azure Government regions, disrupting U.S. government portals and services.
While Azure reported fewer incidents than Google or AWS by mid-year (approximately nine significant ones), their outages tended to last longer on average, a critical consideration for service-level agreements.
|
Provider |
Date |
What Happened |
Who Was Affected |
|
Google Cloud |
June 12 |
Global authentication failure locked users out of services |
Spotify, Fitbit, Discord, Twitch, ChatGPT; cascading impact via Cloudflare |
|
AWS |
Oct 20 |
Infrastructure failure created 15+ hour domino effect |
Coinbase, Robinhood, PayPal, Lloyds Bank, Halifax, Uber, Slack |
|
Azure |
Oct 29, Dec 8 |
Content delivery network failure; further govt outage Dec 8 |
Microsoft Teams, Outlook, Xbox, Alaska Airlines, US govt portals |
DORA explicitly extends operational resilience requirements to critical third-party providers. When Lloyds Bank and Halifax were affected by the October AWS outage, the disruption was not treated as an external event beyond their control. Under DORA, firms bear responsibility for ensuring continuity regardless of where the failure originates.
This raises an obvious question: if a major cloud provider goes down, many firms go down simultaneously. Surely regulators cannot fine everyone?
The short answer is that regulators are not naive about cloud concentration. They know the industry cannot have everyone running fully redundant dual-cloud environments. That would be prohibitively expensive and operationally brutal. But this is precisely why regulators are signalling expectations now, before the next catastrophic outage.
They are creating a paper trail. When the next major outage occurs, regulators will be positioned to distinguish between firms that prepared and firms that did not. The unprepared ones face enforcement action; the prepared ones demonstrate that compliance was achievable.
A firm that experiences a 15-hour outage but has documented testing of a fallback plan will face significantly less regulatory heat than one with no contingency at all. That is the real calculation DORA introduces.
There is an unmistakable pattern where systemic failures at major cloud providers are not rare exceptions but predictable events. For financial services firms operating under DORA, this creates an urgent compliance and operational challenge.
Yes, if a major cloud provider goes down, many firms go down simultaneously, the regulator can't fine everyone. But that's precisely why regulators are signaling this now, before the next catastrophic outage. They're creating a paper trail of expectations so that when (not if) it happens:
The regulator isn't naive about cloud concentration, they know you can't have everyone on dual clouds. What they're preventing is firms getting caught flat-footed with zero contingency plans. A firm that experiences a 15-hour outage and has documented testing of a fallback plan faces less regulatory heat than one that has nothing.
DORA does not require redundancy across all services. But it does require demonstrable resilience for critical functions. The practical requirements break down into four areas.
Not necessarily instant failover, but a tested ability to restore critical functions — even if recovery takes hours rather than minutes. The question regulators will ask is not whether you have a backup plan, but whether you have tested it under realistic conditions.
Demonstrable evidence that your firm is not locked into a single provider. This means understanding where your data sits, how it could be migrated, and what the realistic timeline for that migration would be.
Not everything needs to be multi-cloud — just the functions that are essential for business continuity. Firms need to identify which services fall into this category and ensure those have genuine alternatives.
For functions that cannot justify full redundancy, firms need fallback procedures that can sustain operations for 15 or more hours while primary services are restored. Sometimes the answer is a documented manual process that keeps the business running, not another cloud.
The events of 2025 have given financial services firms a preview of the operational resilience challenges DORA is designed to address. Cloud provider outages are realities that have already impacted banks, payment providers, and trading platforms.
The firms that treat DORA as an opportunity to strengthen their operational foundations will be better positioned than those that view it merely as a compliance burden. When the next major outage occurs, regulators will distinguish between firms that were prepared and those that were not.
The question for every financial services leader is straightforward: when your cloud provider's problem becomes your problem, what will you be able to show the regulator?