Introducing DORA
If you’re a financial organization like a bank, insurance company, investment firm, or credit union, your cloud needs to be an impenetrable fortress. Organizations from pretty much every sector have unique cloud security obstacles to overcome, but financial organizations, in particular, have their hands full. That’s because these organizations are stewards of extremely sensitive data.
McKinsey reports that 84% of financial services organizations surveyed are considering cloud computing trends. Every one of these organizations must prioritize addressing cloud compliance obligations and security risks. If you want to know why it’s so important, check out what Gartner has to say: The average cost of a data breach for financial companies is $6.08 million, much higher tha
n the global average of $4.45 million.
Different entities respond to cloud threats in different ways. For the European Union (EU), the response was the Digital Operational Resilience Act (DORA). DORA is basically a standardized framework for cybersecurity and operational resilience. It applies to cloud service providers, information and communication technology (ICT) third-party service providers, and more than 22,000 financial organizations across Europe and beyond its borders.
While DORA has been in the works for quite some time, the framework came into force on January 17, 2025. In other words, DORA-regulated financial organizations need to get the ball rolling ASAP with their cybersecurity measures. To meet DORA’s requirements, avoid pesky penalties, and achieve strong cloud compliance, proactive preparation is essential.
Before you proceed, a word of advice: DORA compliance for the cloud is a whole new ballgame. So to achieve DORA compliance, financial organizations with cloud-dominant IT architectures need to factor in a few more specific details. This cloud-focused DORA compliance checklist is a comprehensive resource that can help financial organizations get things underway.
Understanding DORA compliance in the cloud
The more IaaS, PaaS, and SaaS services you have, the more unique your DORA compliance obligations will be. But don’t worry; this checklist is designed to systematically address these challenges and make your DORA compliance roadmap as simple and effective as possible.
To start achieving DORA compliance in the cloud, you need to know all about its five key pillars and their cloud implications.
ICT risk management
DORA requires financial organizations to set up strong risk management frameworks and governance protocols in order to monitor and mitigate risks associated with internal and third-party ICT systems. In the cloud, this means conducting cloud risk assessments, pinpointing critical ICT risks, introducing cloud security tools, mapping ownership and accountability, and frequently revamping risk management capabilities.
Incident reporting and response
To achieve DORA compliance, financial companies need strong cloud incident detection, response, and reporting capabilities. The cloud makes this slightly tricky because incidents come hard and fast, but all you really need to do is set up protocols to inform customers and relevant authorities about critical incidents like data breaches or service disruptions.
Resilience testing
Under DORA, financial services companies have to consistently and regularly test their risk management posture. If any weaknesses or vulnerabilities are found, they need to be patched immediately. In the cloud, this involves performing vulnerability assessments and using SAST, DAST, and SCA too. A mix of internal and external penetration tests, like threat-led penetration testing (TLPT), are good ways to round out your cloud resilience testing.
Third-party risk management
For DORA compliance, financial organizations must thoroughly vet their third-party service providers. With cloud supply chain attacks on the rise, it’s crucial to navigate shared responsibility models, identify risks associated with third-party providers, map dependencies across ICT services, and make sure that service-level agreements (SLAs) touch on risk management.
Information sharing
DORA urges financial companies to engage in information sharing initiatives to help other organizations learn about cloud security risks and how to defend against them. Specifically, DORA encourages companies in the financial sector to establish standards on how cloud threat data is exchanged with the rest of the community.
DORA: Everything financial institutions need to know
Discover the ins and outs of this new set of regulations that applies to over 22,000 organizations in the European Union (EU).
Download PDF
DORA compliance checklist for cloud security
In this section, we’ll break down how you can introduce and meet cloud standards that can help with DORA compliance.
ICT risk management for cloud services
Establish an ICT risk management framework
Your first step toward becoming DORA-compliant should be setting up a cloud-specific ICT risk management framework. Here’s your to-do list:
Establish a DORA cloud compliance committee.
Understand and internalize DORA’s requirements.
Choose the right metrics and key performance indicators to measure DORA compliance.
Perform a current state analysis of your ICT systems to identify gaps.
Create DORA-specific policies or weave DORA principles into existing risk management policies.
Design strong cloud risk assessment plans.
Develop detection and response strategies.
Match your DORA risk management framework with other relevant frameworks such as HIPAA, GDPR, or FISMA compliance.
Schedule frequent reviews of your cloud ICT risk management framework.
Reinforce your governance posture to include DORA-compliant monitoring and reporting mechanisms.
Conduct risk assessments
ICT risk management in the cloud hinges on effective risk assessments. To perform strong risk assessments…
Base your risk assessments on reputed cybersecurity and cloud security frameworks like the NIST Cybersecurity Framework.
Build an inventory of ICT systems in your cloud estate.
Identify all possible bugs, misconfigurations, and vulnerabilities that could compromise these ICT systems.
Measure the potential blast radius and business impact of each ICT system risk.
Establish security tools, measures, and playbooks to mitigate critical risks.
Introduce security controls
To put DORA principles into action, you need a combination of security controls and measures like…
Identity and access controls via a cloud infrastructure entitlement management (CIEM) tool
Data classification and encryption via a data security posture management (DSPM) solution
A vulnerability management solution that operates across VMs, containers, applications, and other cloud assets
Network micro-segmentation solutions
Firewalls
Misconfiguration detection controls via a cloud security posture management (CSPM) tool
Intrusion detection systems
Establish continuous monitoring and risk mitigation
To be DORA-compliant in the cloud, you need to stay on top of risks in real time. Here’s how you can do that:
Enforce DORA policies to automatically red-flag compliance risks.
Choose an agentless tool to achieve deep visibility.
Introduce 24/7 cloud-monitoring mechanisms.
Enrich your monitoring capabilities with deep cloud context.
Use cloud and business contexts to prioritize critical risks and remove the noise.
Demonstrate DORA compliance with the right documentation
Being DORA compliant is one thing, but proving it is another. Documentation that can help satisfy regulators includes:
Cloud security policies
Third-party vendor agreements and contracts
Audit logs
Training documentation and handbooks
Risk assessment reports
TLPT reports
Data governance policies
Third-party and cloud provider risk management
Cross-check contract requirements
To make sure your cloud supply chain is DORA-compliant, make sure that your SLAs address the following:
Data access controls and permissions
Encryption standards and key management
Business continuity guarantees
Incident reporting obligations and timelines
Provisions for regulatory audits and inspections
Conduct due diligence
To assess if your providers can support DORA compliance, due diligence and continuous monitoring are a must. Your game plan:
Create a topology of your cloud services and vendors.
Identify vendor risks based on DORA principles.
Confirm vendors’ compliance certifications.
Keep an eye on your vendors’ industry, security, and regulatory reputation.
Loop vendors into cloud security meetings and strategies.
Regularly review SLAs.
Analyze vendor-specific risk assessment reports.
Design cloud exit strategies
Vendor lock-in is the enemy of a healthy cloud compliance posture because it restricts flexibility and adaptability, both of which are crucial in today’s high-octane regulatory setting. Here’s how to avoid that scenario:
Learn the regulatory risks of vendor lock-in.
Carefully consider every single cloud vendor.
Use open-source cloud services whenever possible.
Make sure your API architecture supports quick change.
Reinforce your own security capabilities.
Embrace a flexible multi-cloud culture.
Design an in-depth exit playbook.
Separate critical and noncritical providers
For DORA compliance, remember that all your vendors aren’t equal. Simply put, you need to make sure that you have specific plans for different types of vendors:
For critical vendors: Ensure strong SLAs, reliable communication channels, and frequent reviews based on DORA requirements.
For non-critical vendors: Re-evaluate their services, perform occasional reviews, and measure where they stand with DORA principles.
Cloud incident response and notification
Set up cloud-specific incident response playbooks
To stay compliant with regulations like DORA, you must establish incident response playbooks for specific types of incidents. Here’s what to do:
Invite key stakeholders to collaborate on response playbooks.
Set up mechanisms that can reveal the root cause and blast radius of an incident.
Use a cloud security solution that offers automation and remediation suggestions.
Bring in tools like CDR and SIEM to support the incident response process.
Make sure that the following key incident response steps are covered: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
Set up DORA-compliant incident notification protocols and practices.
Understand DORA’s incident response timelines
DORA has very specific notification timelines that you need to know about:
First report: As early as possible but less than 24 hours after you’ve noticed a serious incident
Intermediate report: Less than 72 hours after the incident
Final report: Less than one month after the incident
Develop a response and recovery strategy
In the cloud, incidents are inevitable. But you can still maintain DORA compliance as long as you have powerful response protocols and a good recovery strategy. Action items:
Establish a high-level DORA-compliant incident response policy for all plans and playbooks.
Support your strategy with frameworks like the SANS Incident Response Framework, NIST CSF, CIS Controls, and our very own Quickstart Template for Cloud Incident Response.
Automate incident recovery practices such as asset isolation and service restoration.
Use a combination of network, audit, application, container, and application logs to accelerate the process.
Prepare cross-team coordination for incident remediation
Establish cloud security roles and responsibilities.
Map how incident response automation and manual intervention will overlap.
Conduct real-world incident response simulations.
Set up communication channels for quick exchange of incident details.
Standardize postmortem procedures.
Evaluate cross-team incident response collaboration on a regular basis to identify where you can improve.
Cloud resilience testing and disaster recovery
Develop a comprehensive approach to cloud resilience testing
Cloud resilience testing is crucial for DORA compliance, but it should be done in a meticulous and structured way:
Choose the right penetration testing methodology (options include OWASP, OSSTMM, and PTES).
Mix and match black-box, white-box, and gray-box penetration testing.
Establish the frequency of cloud security assessments.
Create and road-test failover drill procedures.
Document all resilience testing activities.
Develop cloud-specific disaster recovery (DR) and business continuity plans (BCP)
The cloud is susceptible to many unique risks, but as long as you have DR and BCP plans in place, you can keep regulatory authorities and your customers satisfied. Follow these steps:
Figure out your recovery point objective (RPO) and recovery time objective (RTO).
Map out your mission-critical systems to accurately prioritize your DR and BCP plans.
Design DR and BCP plans in a way that keeps your crown jewel data safe.
Make sure that everyone in your cloud security teams knows their roles and responsibilities.
Conduct DORA-centric cyber resilience stress tests
Your cyber resilience tests need to be based on all potential regulatory assessments, DORA and beyond. The formula for good stress tests includes:
Identifying your compliance obligations (examples include DORA, GDPR, HIPAA, and FISMA compliance)
Having specific objectives when stress testing ICT systems
Making sure that your stress tests reflect real-world situations
Using the right KPIs and metrics like mean time to detection (MTTD) and mean time to remediation (MTTR)
Considering the use of third-party stress testers in addition to in-house efforts
Document test results and remediation plans
To maintain cloud compliance and meet DORA requirements, you need to carefully document the results of your resilience tests as well as your remediation plans:
Make sure your resilience tests have a standardized format.
Include a mix of technical and business details to explain the big-picture objectives of each test.
Categorize test results based on degrees of severity.
Establish easy-to-follow and precise remediation plans.
Prioritize version control to track multiple iterations of tests and documentation.
Ensuring compliance in multi-cloud and hybrid cloud environments
Establish consistent security policies across diverse cloud environments
It’s no secret that the vast majority of enterprises, including financial companies, use multi-cloud architectures. It’s important to be wary of policy silos and maintain standardized policies across your cloud. Next steps:
Replace agent-based tools with agentless tools.
Choose a solution that allows you to easily weave in other tools and capabilities.
Replace cloud security silos with a unified security platform.
Mix centralized cloud security with a self-service model.
Use a single cloud security policy across your IaaS, PaaS, and SaaS resources.
Automate compliance monitoring and policy enforcement
Since the cloud is so fast-paced, you need automated compliance capabilities in order to adhere to DORA. Your automation roadmap has to:
Introduce automated continuous compliance assessments
Customize your compliance and policy framework to meet requirements (for example, mixing DORA principles with HIPAA or FISMA compliance goals)
Mandate the automation of both high-level and granular compliance report generation
Use a policy-as-code approach to automate policy enforcement
Sync DORA with other regulations
Like most enterprises today, you likely have to adhere to numerous compliance frameworks in addition to DORA. Here are a few tips to navigate these compliance obligations:
Create a list of all the regulatory frameworks you need to follow.
Identify data sovereignty requirements.
Craft your own cloud security frameworks and policies to address multiple compliance requirements.
Configure your cloud security program in a way that addresses multiple compliance frameworks at once.
Maintain regulation-specific documentation.
Right-size identity and access
There are hundreds, maybe even thousands, of digital identities in your cloud environments. Here are some access-centric ways you can secure your cloud and adhere to DORA:
Identify and map identity risks.
Gain visibility of identity-related attack paths.
Use a CIEM solution, which is a cloud-native variant of IAM.
Enforce zero-trust mechanisms like least privilege and MFA.
Commission tools with automated effective permissions analysis capabilities.
Enforce identity threat detection and response.
How cloud-native security solutions support DORA compliance
We’ve said it before, and we’ll say it again: If you want to address unique cloud security and compliance challenges, you need a security solution that’s built for the cloud. For DORA compliance, you need a diverse mix of cloud-native security capabilities, ideally within the same platform. Siloed security is its own headache.
That’s where CNAPPs come in handy. CNAPPs are particularly useful for DORA compliance in the cloud because they have automation capabilities for continuous cloud compliance assessments and policy enforcement, as well as crucial capabilities like threat detection, vulnerability management, and security posture assessments.
Just take a single component of a CNAPP like CSPM and think about what a game-changer it can be for your compliance posture. A strong CSPM tool can help you enforce DORA principles across your cloud environments and provide continuous detection capabilities to inform you when you’ve slipped. The best CSPM tools go beyond just an endless list of misconfiguration detections; they will tell you which ones actually matter to you and are relevant to DORA. And that’s just one capability.
The bottom line is that for compliance regulations like DORA, your cloud environments need to be in the hands of cloud experts. On that note, say hello to Wiz.
How Wiz can support DORA compliance for financial organizations
Wiz CNAPP, which features CSPM, CIEM, AI security, DSPM, CWPP, vulnerability management, and more, has all the cloud-native compliance capabilities that enterprises in the financial sector need in order to understand and adhere to DORA.
Let’s talk about some of Wiz’s standout characteristics and offerings that can help with DORA compliance:
Wiz features entirely agentless scanning technology, which is a boon for complete cloud environment visibility. By achieving easy and comprehensive visibility across your cloud resources, you’ll be setting yourself up for a strong compliance posture.
Wiz provides automated risk assessments and continuous compliance monitoring capabilities, meaning even the slightest configuration drift or compliance misstep will be flagged before it becomes a serious issue.
Speaking of tackling serious issues, Wiz has real-time threat detection and incident response capabilities to help you handle the high volume of events that cloud environments face.
Wiz addresses another important aspect of DORA, which is supply chain security management and least-privilege access enforcement. Basically, everyone with access to your cloud environment, in-house or third-party, will only have the bare minimum privileges needed to conduct their tasks.
All in all, Wiz is a strong option if you’re looking for unified cloud security for multi-cloud environments. It’s quick, lightweight, and multi-faceted and can make DORA compliance a lot easier than it looks.
Get a demo now to see Wiz’s cloud compliance capabilities in action.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
