Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is a comprehensive pan-EU framework designed to enhance operational and cyber resilience in the financial sector. It establishes requirements for Regulated Entities (REs) to achieve a common level of digital operational resilience in the areas of Information and Communication Technologies (ICT) risk management, incident reporting, resilience testing, and third-party risk oversight, without restricting cloud service adoption.

AWS has released a DORA Financial Services Addendum (DORA FSA) which supplements the existing financial services addenda in order to reflect the contracting requirements of DORA. Eligible customers may contact their AWS Account Manager to request the DORA FSA.

At AWS, we're committed to helping our financial services customers navigate these requirements and enhance their overall ICT risk management posture. The AWS Well-Architected Framework is a valuable resource for REs seeking to build robust, secure, and efficient cloud infrastructures. This comprehensive framework is built on six key pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. By following the guidance and recommendations provided in the AWS Well-Architected Framework, REs can ensure their cloud architectures are not only compliant with regulatory requirements but also optimized for peak performance and resilience.

The AWS User Guide to the Digital Operational Resilience Act (DORA) describes the roles that AWS and its customers play in managing operational resilience whilst using AWS services, describes the AWS Shared Responsibility Model, compliance frameworks, AWS services, and features, frameworks, and measures which customers can use to evaluate their compliance with specific DORA Level 1 requirements.

The AWS Level 1 Workbook for Digital Operational Resilience Act (DORA) is an extended resource to support AWS customers regulated under DORA. The workbook sets out resources that allow AWS customers to use AWS services in an operationally resilient way through the Shared Responsibility Model, AWS compliance programs, and relevant AWS thought leadership and whitepapers. This workbook is complementary to the AWS User Guide to Digital Operational Resilience Act and is available through AWS Artifact.

The AWS guide to building and operating financial services workloads for DORA (Level 2) is available for AWS customers to download from AWS Artifact. It covers the following topics:

• The respective roles that the customer and AWS each play in managing operational resilience and security on AWS.
• An overview of the DORA Level 2 standards in scope for the guide.
• Detailed guidance and resources that customers can use to help build and operate financial services workloads aligned to DORA Level 2 requirements.
• The AWS compliance programs, services, and resources available to regulated entities to help them evaluate and demonstrate their resilience and security when using AWS.

As the regulatory environment continues to evolve, where relevant to AWS customers, we plan to extend the Level 2 guide in the future by publishing new versions to cover additional DORA Level 2 standards after they are finalized.

Find more information on cloud-related regulatory compliance at the AWS Compliance Center. You can also reach out to your AWS Account Manager for help to find the resources you need including guidance available within AWS via public documentation as well engaging with the AWS FSI Compliance team, the AWS Partner Network, as well as AWS Solution Architects, Professional Services teams, and Training instructors.

Customers can use AWS services such as AWS Fault Injection Service, AWS Audit Manager, AWS Security Hub, AWS Resilience Hub, and AWS Trusted Advisor to facilitate operational risk management activities as well as, AWS Health, AWS Incident Detect and Response and AWS Security Incident Response to support DORA Incident Reporting requirements.

To verify that AWS has specific policies and procedures in place, and is compliant with a variety of security standards and regulations, AWS customers can download AWS's third-party audit reports (e.g. AWS ISO, SOC, and PCI reports) and documentation in AWS Artifact. AWS customers can also reference the AWS Compliance Programs to understand the controls in place at AWS to maintain security and compliance of the cloud. Within the AWS Compliance Program portal, the different IT standards that AWS complies with are broken out by Certifications and Attestations; Laws, Regulations and Privacy and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.

AWS Security Assurance Services provides hands-on collaboration to help customers align their compliance strategies with DORA requirements, focusing on their responsibilities under the Shared Responsibility Model. Customers can use AWS Security Assurance Services to navigate regulatory complexities and leverage AWS services effectively.