Introducing the AWS Level 1 DORA Workbook for AWS customers regulated under DORA

The Digital Operational Resilience Act (DORA) is a pan-European legislative framework on operational resilience and cyber resilience. DORA outlines improvements in information and communications technology (ICT) and security risk-management requirements, a harmonization regime for ICT incident reporting, development of a digital operational resilience testing framework, and an oversight framework for critical ICT third-party providers. The primary DORA regulation, also referred to as the Level 1 regulation, describes the overall framework for improving digital operational resilience across the financial sector.

DORA sets uniform requirements for Financial Entities (FEs), Independent Software Vendors (ISVs), and ICT providers to achieve a high common level of digital operational resilience. It covers requirements related to ICT risk management, reporting of major ICT-related incidents and cyber threats, digital operational resilience testing, information sharing on cyber threats and vulnerabilities, and measures for managing ICT third-party risk. DORA promotes a principles-based approach to ICT risk management, giving FEs the flexibility to use different management models as long as they address key functions, such as identification, protection, detection, response, recovery, and communications. DORA requires FEs to maintain updated and resilient ICT systems that handle stressed market conditions and adverse situations, and mandates efficient business continuity and recovery plans to limit damage and ensure prompt resumption of activities after ICT-related incidents.

In July 2024, we released the AWS User Guide to the Digital Operational Resilience Act (DORA). This guide describes the roles that AWS and its customers play in managing operational resilience whilst using AWS services, describes the AWS Shared Responsibility Model, compliance frameworks, AWS services, and features, frameworks, and measures which customers can use to evaluate their compliance with specific DORA Level 1 requirements.

Today, we are announcing the launch of the AWS Level 1 Workbook for Digital Operational Resilience Act (DORA), an extended resource to support AWS customers regulated under DORA. The workbook sets out resources that allow AWS customers to use AWS services in an operationally resilient way through the Shared Responsibility Model, AWS compliance programs, and relevant AWS thought leadership and whitepapers. This workbook is complementary to the AWS User Guide to Digital Operational Resilience Act and is available through AWS Artifact.

How to use the workbook

Start by understanding the requirements placed on your organization by DORA, including those relating to ICT risk management, management of ICT third-party risk, and the development of an operational resilience strategy.

Deep-dive into our series of considerations for how financial entities seeking to meet the regulatory expectations set by DORA can use AWS services and documentation to help show their compliance. These considerations include using AWS services, such as AWS Audit Manager, AWS Security Hub, AWS Resilience Hub, and AWS Trusted Advisor to facilitate operational risk management activities, as well as, AWS Health and AWS Incident Detect and Response (IDR) to support DORA Incident Reporting requirements.

Further, the workbook recommends that FEs leverage frameworks such as the AWS Cloud Adoption Framework (AWS CAF) to inform the design and operation of their governance and control frameworks, as well as the AWS Well-Architected Framework that helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads.

Next steps

As the regulatory environment continues to evolve, we’ll provide further updates regarding AWS offerings in this area on the AWS Industries Blog and the AWS Compliance page. The AWS Level 1 Workbook for DORA adds to the resources AWS provides about financial services regulation across the world. Find more information on cloud-related regulatory compliance at the AWS Compliance Center. You can also reach out to your AWS account manager for help to find the resources you need.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Additional resources

• AWS responds to European Supervisory Authorities’ Consultation on Technical Standards under the Digital Operational Resilience Act (DORA) (October 2023)
• AWS responds to European Supervisory Authorities’ second consultation on technical standards under the Digital Operational Resilience Act (DORA) (April 2024)
• Explore the list of AWS Security, Identity, & Compliance and Resilience services.
• Please bookmark the AWS Compliance Page and the AWS for Industries blog for more updates and resources from AWS as we continue to support our customers in the financial services industry with their DORA compliance efforts.