AWS for Industries

Introducing the AWS guide to building and operating financial services workloads for DORA (Level 2)

The Digital Operational Resilience Act (DORA) is a pan-European legislative framework on operational resilience and cyber resilience in the financial sector. DORA outlines improvements in information and communications technology (ICT) and security risk-management requirements, a harmonization regime for ICT incident reporting, development of a digital operational resilience testing framework, and an oversight framework for critical ICT third-party providers.

DORA Level 1 regulation

Regulation (EU) 2022/2554 is the primary DORA regulation, also referred to as the Level 1 regulation. It describes the framework for improving digital operational resilience across the financial sector. It entered into force on 16 January 2023 and will apply as of 17 January 2025.

In July 2024, we released the AWS User Guide to the Digital Operational Resilience Act (DORA), which provides AWS considerations related to the DORA Level 1 regulation. It describes the roles that AWS and its customers play in managing operational resilience whilst using AWS services, the AWS Shared Responsibility Model, and the compliance frameworks, AWS services and features, and measures which customers can use to evaluate their compliance with specific DORA requirements.

In November 2024, we released the AWS Level 1 Workbook for Digital Operational Resilience Act (DORA) which provides a mapping table summarizing AWS considerations related to each component of the DORA Level 1 regulation.

DORA Level 2 standards

DORA mandates that the European Supervisory Authorities (ESAs) draft Level 2 measures, as regulatory technical standards (RTSs) and implementing technical standards (ITSs). These contain more detailed requirements on how financial entities (FEs) should implement the DORA framework at a practical level.

Note: The Level 2 standards do not replace or supersede the DORA Level 1 regulation. Rather, they complement and contextualize it, and must be understood in relation to Level 1 regulation.

AWS guide to building and operating financial services workloads for DORA (Level 2)

Today, we are announcing the launch of the AWS guide to building and operating financial services workloads for DORA (Level 2). This guide is available for AWS customers to download from AWS Artifact. It covers the following topics:

  • The respective roles that the customer and AWS each play in managing operational resilience and security on AWS.
  • An overview of the DORA Level 2 standards in scope for the guide.
  • Detailed guidance and resources that customers can use to help build and operate financial services workloads aligned to DORA Level 2 requirements.
  • The AWS compliance programs, services, and resources available to regulated entities to help them evaluate and demonstrate their resilience and security using AWS.

The initial version of the guide covers the following DORA Level 2 standards, which have been finalized and published in the Official Journal of the European Union (OJEU):

  • DORA RTS on ICT risk management. Requires FEs to establish and maintain effective and prudent management of ICT risk to achieve a high level of digital operational resilience.
  • DORA RTS on ICT third-party risk management. Requires FEs to define and implement a policy for their use of ICT third-party service providers that support critical or important functions as part of their overall ICT risk management framework.

Where relevant to AWS customers, we plan to extend the Level 2 guide in the future by publishing new versions to cover additional DORA Level 2 standards after they are finalized and published in the OJEU.

Next steps

As the regulatory environment continues to evolve, we’ll provide further updates regarding AWS offerings in this area on the AWS for Industries Blog and the AWS Compliance page. The DORA Level 2 guide adds to the resources AWS provides about financial services regulation across the world. Find more information on cloud-related regulatory compliance at the AWS Compliance Center. You can also reach out to your AWS account manager for help to find the resources you need.

TAGS: , , ,
Eduardo Vilela

Eduardo Vilela

Eduardo is Head FSI Reg. Enablement EMEA and helps our financial services customers with regulatory requirements and guidelines relating to risk and cybersecurity. He joined AWS after working more than 25 years at UBS, BBVA, Barclays Capital and Promontory (an IBM company). He provides governance solutions to boards of directors and to FSI leadership, and is well-versed in helping companies meet stringent regulatory requirements as they operate in the cloud.

James Greenwood

James Greenwood

James is a principal security solutions architect who helps AWS Financial Services customers meet their security and compliance objectives in the AWS cloud. James has a background in identity and access management, authentication, credential management, and data protection with more than 20 years experience in the financial services industry.