DORA Drives Cloud Diversification for European Clearing Houses
European clearing houses are facing a significant shift in their technology infrastructure as they prepare to comply with the Digital Operational Resilience Act (DORA). Recent guidance from German regulator BaFin indicates that relying on a single cloud provider is insufficient, necessitating fallback options like a multi-cloud strategy or on-premises solutions.
The Single Cloud Risk: Why DORA is Changing the Game
For years, many financial institutions have embraced the efficiency and scalability of single-cloud deployments. However, DORA recognizes the systemic risks associated with concentrating critical functions within a single provider. A disruption – whether technical, geopolitical, or security-related – at that provider could have cascading effects across the financial system.
Dmitrij Senko, a risk manager, highlighted BaFin’s clarification on this point, stating that a single cloud is no longer considered adequate under DORA. This signals a broader trend towards resilience through diversification.
BaFin’s Guidance: Simplifying DORA for Smaller Firms
While DORA applies to a wide range of financial entities, BaFin has issued guidance to simplify requirements for smaller and less complex institutions. This includes approximately 1,100 firms in Germany, such as small investment firms and insurance holding companies. These entities can benefit from a simplified ICT risk management framework, but the core principle of operational resilience remains.
The simplified framework removes obligations like maintaining a full digital resilience strategy or appointing a dedicated ICT risk control function. However, all firms, regardless of size, must address third-party risk management, including cloud providers.
The Rise of Multi-Cloud and Hybrid Cloud Strategies
The BaFin guidance effectively pushes clearing houses and other financial institutions towards multi-cloud or hybrid cloud strategies. A multi-cloud approach involves distributing workloads across multiple public cloud providers, reducing dependence on any single vendor. A hybrid cloud combines public cloud resources with on-premises infrastructure, offering greater control and flexibility.
This shift isn’t without its challenges. Managing multiple cloud environments introduces complexity in areas like data integration, security, and compliance. However, the potential benefits in terms of resilience and risk mitigation are substantial.
Impact Beyond Germany: A European Trend
While the initial clarification comes from BaFin, the principle of cloud diversification is likely to be adopted across Europe as other national regulators interpret and implement DORA. This will create a more standardized approach to operational resilience within the EU financial sector.
The focus on ICT risk management under DORA extends beyond cloud providers to encompass all critical ICT services. Financial institutions must map their dependencies, identify potential vulnerabilities, and implement appropriate safeguards.
DORA and the Broader Cybersecurity Landscape
DORA’s emphasis on operational resilience aligns with the broader trend of increasing cybersecurity threats facing the financial sector. The regulation recognizes that cyberattacks are a major source of operational risk and requires firms to proactively manage these threats.
BaFin’s guidance also acknowledges the overlap between DORA and existing IT requirements like BAIT/VAIT in Germany, aiming to clarify expectations and streamline compliance efforts.
Pro Tip
FAQ
Q: What is DORA?
A: DORA is the EU regulation on Digital Operational Resilience in the Financial Sector, designed to strengthen the digital resilience of financial institutions.
Q: Does DORA apply to all financial institutions?
A: DORA applies to a wide range of financial entities, including banks, payment institutions, and insurance companies.
Q: What does BaFin’s guidance on cloud providers mean?
A: BaFin’s guidance indicates that relying on a single cloud provider is not sufficient for compliance with DORA, requiring fallback options.
Q: What is the simplified ICT risk management framework?
A: A simplified framework for smaller, less complex financial institutions, reducing some of the obligations under DORA.
Q: When does DORA come into effect?
A: DORA has been in force since January 17, 2025, with implementation timelines varying for different institutions.
Did you recognize? BaFin released its second supervisory statement on DORA in November 2025, specifically addressing simplified requirements for ICT risk management.
Want to learn more about navigating the complexities of DORA? Explore further insights on Risk.net.
