How to balance cloud agility with operational resilience under DORA

As financial institutions accelerate cloud adoption, the Digital Operational Resilience Act (DORA) and upcoming cyber resilience bills are setting a new standard for operational integrity. Organisations are under pressure to innovate quickly - gaining the flexibility and efficiency that cloud-native systems offer - while meeting stringent regulatory requirements for resilience, data residency, and supply chain oversight. Although DORA primarily targets financial institutions, lessons from recent breaches show that the operational practices it enforces represent best-in-class standards across industries.

The challenge lies in harmonising speed with governance. Operational resilience under DORA extends beyond internal systems. Firms must rigorously assess and continuously audit the resilience of all third-party suppliers and vendors critical to their cloud ecosystem. Equally, with the increase in cloud adoption across financial services, resilient-by-design should be a key principle of any transformation with a goal of ensuring appropriate governance and oversight.

Regulators are increasingly scrutinising supply chain robustness to prevent systemic risk, meaning agile innovation shouldn’t come at the expense of operational stability. To achieve this balance, organisations need a structured approach that embeds resilience into every stage of cloud transformation.

So, here are three practical actions they can take to do just this.

1. Build modular, vendor-agnostic cloud architectures
   

There are two key parts here: modular and vendor-agnostic. Designing systems with modular cloud architectures involves breaking down the cloud environment into self-contained components that work independently – this means they can be developed, customised and maintained separately but still communicate with other systems through shared interfaces.

This modular architecture enables flexible upgrades to specific parts of the IT estate (without having to disrupt or rebuild everything) and the ability to integrate the latest tech in a controlled way into the estate. In turn, this empowers teams to maintain control over workloads while enabling rapid innovation and scalability.

Secondly, this approach limits the risks of vendor dependency. The recent AWS outage sparked wide-ranging discussions around how reliant many companies are on a single provider. By building interoperability across modular platforms, teams can maintain control over their infrastructure while significantly reducing such reliance. As a result, there is less dependency on large monolithic contracts and operational risks can be spread.

Ultimately, a vendor-agnostic flexible solution provides more resilience while enabling companies to modernise on their own terms. And through using multiple vendors and achieving competitive pricing, firms can enhance both cost efficiency and innovation.

2. Implement continuous monitoring and automation
   

One of the main challenges in cloud adoption is visibility and ensuring the hygiene of the entire IT estate. If teams don’t know what changes other teams have made to systems or can’t see how certain elements interact with each other, that’s when security vulnerabilities can accidentally crop up. So, to detect disruptions early, ensure compliance, and maintain operational continuity, the continuous monitoring of risks is crucial.

Of course, these risks could happen at any time, and the manual process of performing tasks like software updates and security patching can be time-consuming and error-prone. But with the right tools, these are tasks that can be easily automated. Therefore, teams should look to implement a centralised digital platform that can automatically and continuously monitor the whole IT estate.

By creating this central view, teams are able to identify and manage configuration changes and reconcile them in real time. Automatic drift management, for example, can proactively detect anomalies in system logs and provide an evidence trail of activities on systems. This prevents configuration drift, where changes haven’t been recorded or authorised, and subsequently minimises security/breach risks.

Crucially, the use of automation tools allows teams to build a proactive approach. By predicting and alerting them to issues before they exacerbate, teams can execute faster time-to-incident resolution. What’s more, visibility of changes across the IT estate increases confidence that compliance standards are being met, while automation gives staff more time to prioritise higher-value activities such as performance optimisation and strategy.

3. Integrate resilience into transformation roadmaps
   

The pressure on financial services to adopt cloud solutions and adhere to regulations can trigger expensive and disruptive modernisation projects. But while modernisation can be an urgent priority, firms should look to implement phased migration strategies into their transformation roadmaps. These allow companies to ensure operational continuity as new technologies are integrated.

Continuous incremental and low-risk updates drive resilience and modernisation efforts while reducing technical debt over time. A proactive, ongoing approach means project timelines correlate to when infrastructure needs upgrading (such as when devices reach their end-of-support) and prevents the need for a complete system overhaul. Just as failing to modernise outdated systems can create major vulnerabilities, so can too much change at once.

A crucial part of resilience also relies on the targeted upskilling of staff. Many financial institutions will have acquired a network of outdated and new systems working together. While this co-existence of technologies has helped them to reduce risk and minimise costs, it can also form a widening gap in knowledge and skills – banks need both legacy and cloud expertise. So, as new tech is adopted, team members need to be upskilled on how to use it. The same applies if someone with legacy knowledge leaves, their knowledge and expertise needs to be understood and passed on to team members wherever possible.

Finally, the transformation roadmap should encompass rigorous oversight of third-party suppliers. As well as assessing their controls, processes and compliance certifications, this also includes evaluating how much you rely on certain providers yourself and their importance to the company.

Striking the balance

We’ve seen just how much disruption and damage cyberattacks have caused to major brands, particularly where third-parties appear to be vulnerable as a vector for attack. Simultaneously, the AWS outage exposed the reliance many companies have on one tech provider. Against this backdrop, the pressure on financial institutions to innovate while ensuring compliance and security has never been more pronounced.

These three steps can help firms strike the balance between cloud innovation and operational resilience – essential for meeting recent regulations like DORA. It’s also an approach that is best practice across industries, allowing for responsible innovation that protects from risks but enhances working processes.

By adopting this strategy, companies can drive their modernisation needs while ensuring operational continuity.

‍