Everything You Need to Know About AWS DORA Compliance

In this guide, we discuss the mechanics of Amazon Web Services (AWS) DORA compliance and how best to achieve it, especially for European Union (EU) financial services entities working closely with information and communication (ICT) providers.

Note that we’ve kept this guide as succinct as possible to provide only an overview of how to achieve DORA compliance with AWS. For a more thorough discussion, we recommend you read the AWS User Guide to the Digital Operational Resilience Act (DORA).

What is DORA?

DORA, or the Digital Operational Resilience Act, is a legislative framework introduced as Regulation 2022/2554. It aims to strengthen operational and cyber resilience strategies, especially for financial institutions.

The act details strict requirements for third-party ICT organizations to protect themselves and their end-users from threat actors, particularly for withstanding, responding to, and recovering quickly from common cyberattacks and evolving threats. This includes allocating capital to cover potential losses. We’ve also published “What Is Digital Operational Resilience Act (DORA) Compliance” as a guide. 

Why is this important? Look at some key statistics from the World Economic Forum’s Global Cybersecurity Outlook 2025:

• 49% of public sector organizations state they lack the necessary resources to meet their cybersecurity goals—a concerning increase from only 33% in 2024.
• 35% of small organizations believe their cyber resilience strategies to be inadequate—a sevenfold increase since 2022.
• 15% of European and North American respondents lack confidence in their country’s ability to respond to sophisticated cyberattacks.
• One in three CEOs say loss of intellectual property is their major concern, whether from external threat actors or insider threats.

DORA required compliance from financial institutions by January 17, 2025. Financial entities and their respective ICT third parties (Registers of information—RoI) need to report to competent authorities to determine their current compliance level and how to improve or maintain it. Failure to meet its requirements can lead to severe financial penalties and legal consequences. (A full list of DORA updates can be found on their official website).

AWS services for financial regulatory compliance

In response, Amazon released a letter detailing AWS security for financial services. AWS helps organizations meet these regulatory standards by offering a broad set of security, compliance, and resilience tools, including threat-led penetration testing (TLPT) and ICT-incident reporting.

We’ll discuss that here later in “How AWS supports DORA compliance”.

Understanding DORA compliance requirements

While we’ve written a more detailed guide on the 5 Pillars of DORA regulation, here is a summary:

1. ICT risk management: Organizations must develop a robust ICT risk management framework that includes strategies, policies, and tools for securing all ICT assets, including computer software, hardware, and servers.
2. Incident reporting: Organizations must report all major ICT-related incidents to relevant authorities. Financial entities must also maintain a detailed log of all cyber incidents.
3. Resilience testing: Organizations must regularly test the soundness of their ICT systems to ensure business continuity and maintain operational efficiency.
4. Third-party risk management: Financial entities must ensure that their RoIs meet DORA regulatory requirements.
5. Information sharing: Organizations are encouraged to collaborate and share cybersecurity strategies to build collective resilience.

How AWS supports DORA compliance

AWS operates under a Shared Responsibility Model, which means that while AWS manages the security of its cloud infrastructure, customers are responsible for securing their own data within the cloud.

While this closely follows DORA regulatory requirements, it also means that every financial institution and its RoI must make its own necessary changes. AWS customers are encouraged to reach out to their account team to discuss their specific DORA compliance requirements.

• TLPT: AWS can assist customers with their TLPT requirements for DORA. All sensitive information is shared on a need-to-know basis with relevant authorities.
• ICT-incident reporting: AWS does not have complete visibility into data uploaded into a customer’s account due to its Shared Responsibility Model. Even so, AWS can help customers securely manage sensitive information and its reporting.

It’s worth noting that AWS is still refining DORA requirements with the European Supervisory Authorities (ESAs), as some provisions require further elaboration. For example, the AWS management team has suggested further clarification on the definition of “ICT subcontractor” to prevent miscommunication and undue punishment to thousands of subcontractors.

Nevertheless, AWS offers several prescriptive documents for DORA preparation, such as educating customers on building a resilience lifecycle framework.

💡AWS holds various internationally recognized security and compliance certifications, including ISO 27001, SOC 2, and GDPR—all of which support DORA-related requirements.

AWS services for DORA compliance

Searching for services to assist with the “Digital Operational Resilience Act AWS” will yield the following results:

Risk management & resilience

• AWS Security Hub provides a central location for managing security and compliance and helps organizations detect security vulnerabilities in real-time.
• AWS Config continuously tracks configuration changes to AWS resources.
• AWS Backup enables automated backup policies, improving resilience against data loss.

Incident reporting & monitoring

• AWS CloudTrail records AWS API calls and helps you track unauthorized access and changes to cloud environments.
• Amazon GuardDuty uses machine learning to analyze cloud activities and detect suspicious behavior.
• AWS Audit Manager assesses your compliance posture by automating evidence collection and streamlining audits.

Resilience testing

• AWS Resilience Hub helps organizations identify weaknesses in their backup and disaster recovery plans.
• AWS Fault Injection Simulator creates controlled chaos engineering experiments so you can test how your applications respond to failures.

Third-party risk management

• AWS Marketplace can help you reach AWS DORA compliance by providing a selection of vetted third-party security solutions.
• AWS Control Tower can help you maintain security best practices while using AWS at scale.

Implementing DORA compliance on AWS

These recommended steps show how to implement DORA requirements in AWS.

⚠️ Keep in mind that there are still no exact rules to follow as AWS is refining DORA compliance requirements. The steps listed below are only recommendations. Speak with your AWS account manager for more specific instructions. 

1. Assess your existing security posture: Conduct a comprehensive gap analysis to identify any security weaknesses and regulatory deficiencies. It is a good idea to map out your existing security controls against DORA requirements.
2. Implement security controls as needed: AWS provides multiple services to help you enforce security controls, such as AWS Key Management Service and AWS Identity and Access Management. To further strengthen security, we recommend implementing multi-factor authentication (MFA) and enforcing least privilege access policies.
3. Set up incident monitoring and reporting: Use AWS CloudTrail and Amazon GuardDuty to continuously monitor your AWS environment. By automating incident reporting, you ensure compliance with DORA’s strict reporting timelines.
4. Conduct regular resilience testing: Consider conducting regular penetration testing, disaster recovery drilling, and automated failover mechanisms to ensure your organization remains operational even in the face of a cyberattack or system failure.
5. Manage risk by third parties: AWS Control Tower can help you standardize practices across multiple AWS accounts, while AWS Audit Manager can optimize and streamline third-party audits.
6. Automate compliance monitoring: It’s highly recommended that you leverage automation to reduce the burden of manual compliance checks and ensure that your security controls remain effective. Consider using AWS Config and AWS Audit Manager to help you enforce regulatory requirements automatically.

Challenges in AWS DORA compliance and troubleshooting

Managing multi-cloud and hybrid environments

Today, most financial entities use a combination of cloud providers, on-premises infrastructure, and hybrid cloud solutions, which can make ICT risk management challenging. To resolve this, we recommend ensuring uniform security policies and standard governance frameworks across all platforms.

Ensuring end-to-end AWS resilience testing for DORA

Resilience testing must cover all aspects of your entire ICT environment; however, performing these tests across multiple systems can be complex. To resolve this, consider developing a structured security framework to simulate disruptions effectively. You can also leverage AWS Resilience Hub for a unified approach to resilience testing.

Addressing third-party risk management

A significant portion of DORA regulatory requirements covers third-party service providers. This segmentation of entities can make it difficult to comply with DORA. We recommend using AWS Audit Manager and AWS Marketplace to help you monitor third-party compliance. You are encouraged to conduct thorough vendor risk assessments to minimize risks effectively.

Automating compliance without losing control

While automation can streamline compliance, there is always a risk of overlooked security gaps or misconfigurations—especially if your business relies too heavily on automated tools. It’s a good idea to focus on a more layered approach, combining automated compliance checks with manual security audits. AWS Config and AWS Security Hub can also prove useful here.

Frequently Asked Questions (FAQs)

1. Does AWS provide out-of-the-box compliance for DORA?

AWS currently does not have DORA-specific tools but provides numerous other tools that can help you improve your security posture.

2. How does AWS compare to other cloud providers in terms of DORA compliance?

AWS is comparable to other cloud providers. As detailed previously, it offers an extensive suite of security and compliance services. AWS has made significant efforts to align with DORA, just like other cloud providers. A comparison would depend on specific services, customer needs, and similar factors.

3. What are the penalties for noncompliance with DORA?

Noncompliance can lead to financial penalties and legal consequences. According to Infosecurity Europe, noncompliance with DORA can lead to a fine of up to 2% of your global annual turnover or €10 million, whichever is higher.

Ensuring AWS DORA compliance

Financial institutions operating in the EU must comply with DORA. That said, as it is relatively new, there are still uncertainties about how it affects users of AWS. Amazon Web Services has a robust set of tools that can help you meet these provisions efficiently, but it is still recommended that you speak with your dedicated account team to know exactly what to do to build a secure and compliant cloud environment.