DORA Compliance for Azure: Financial Services ICT Resilience Guide

The Digital Operational Resilience Act (DORA) is transforming how financial institutions approach IT resilience and security. Coming into full effect in January 2025, DORA establishes a comprehensive framework for digital operational resilience across the EU financial sector. Here's what you need to know to prepare your Azure workloads.

What is DORA?

DORA is an EU regulation that aims to strengthen the IT security of financial entities and ensure the financial sector in Europe can stay resilient during severe operational disruptions. The regulation applies broadly across the financial sector, covering banks and credit institutions, investment firms, insurance and reinsurance companies, payment institutions, and crypto-asset service providers. Importantly, it also extends to critical ICT third-party service providers, including cloud providers like Microsoft Azure.

DORA's Five Pillars

DORA is structured around five key areas of digital operational resilience:

1. ICT Risk Management

Financial entities must establish a comprehensive ICT risk management framework. This means having clear governance with defined roles and responsibilities at board level, systematic identification of ICT risks and vulnerabilities, technical and organisational measures to protect systems, mechanisms to promptly detect anomalous activities, and robust business continuity and disaster recovery plans.

On Azure, you can address these requirements by using Microsoft Defender for Cloud for continuous security assessment, implementing Azure Policy for governance and compliance enforcement, deploying Azure Monitor and Microsoft Sentinel for detection capabilities, and leveraging Azure Site Recovery for disaster recovery.

2. ICT Incident Management

DORA requires a structured approach to managing ICT-related incidents, including classification of incidents based on impact and severity, thorough root cause analysis for major incidents, reporting to competent authorities within strict timeframes, and timely communication to clients when incidents affect their services.

On Azure, you can implement this using Microsoft Sentinel for incident detection and management, automated playbooks for incident response, integration with ticketing systems like ServiceNow or Jira, and Azure Service Health for platform incident awareness.

3. Digital Operational Resilience Testing

Regular testing is mandatory under DORA. Basic testing includes vulnerability assessments, network security assessments, and gap analyses. For significant financial entities, advanced testing through threat-led penetration testing (TLPT) is also required. Testing should occur at least annually, with more frequent testing for critical systems.

On Azure, you can meet these requirements through Azure Security Center vulnerability assessments, regular penetration testing following Microsoft's rules of engagement, chaos engineering with Azure Chaos Studio to test resilience, and tabletop exercises for incident response preparedness.

4. ICT Third-Party Risk Management

Managing third-party risk is a major focus of DORA. Financial entities must maintain a register of all ICT third-party providers, conduct due diligence before engaging providers, include specific contractual provisions covering exit strategies and audit rights, and monitor ongoing performance and risk.

When using Azure, you should review Microsoft's DORA contractual addendum, understand the shared responsibility model clearly, document your reliance on Azure services, and plan for multi-cloud or exit scenarios as required by the regulation.

5. Information Sharing

DORA encourages, though doesn't mandate, sharing of cyber threat intelligence. This includes participating in threat intelligence sharing communities, sharing indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs), and collaborating with peers on emerging threats.

Azure Services for DORA Compliance

DORA Requirement	Azure Service
Risk identification	Microsoft Defender for Cloud, Azure Advisor
Threat detection	Microsoft Sentinel, Defender suite
Incident management	Microsoft Sentinel, Logic Apps
Business continuity	Azure Site Recovery, Availability Zones
Resilience testing	Azure Chaos Studio
Audit logging	Azure Monitor, Activity Logs
Compliance reporting	Microsoft Compliance Manager, Azure Policy

Common Gaps We See

Based on our work with financial services clients, these are the most common DORA readiness gaps we encounter.

Incomplete asset inventory is frequently a problem, organisations often don't have a complete view of their ICT assets and dependencies. Insufficient testing is another common issue, with testing often limited to annual penetration tests rather than comprehensive resilience testing. Third-party register gaps mean that ICT third-party provider registers are frequently incomplete or outdated. Many organisations also struggle with incident classification, lacking clear criteria for classifying incidents per DORA requirements. Finally, board reporting often falls short, with ICT risk not adequately reported to management bodies.

Getting Started

If you're beginning your DORA compliance journey, we recommend a structured approach. Start with a gap assessment comparing your current state against DORA requirements. Then conduct a risk assessment to identify and prioritise ICT risks. From there, develop a remediation roadmap to plan and prioritise your activities. Execute the implementation with appropriate controls, then validate through testing. Finally, establish a continuous improvement programme for ongoing monitoring and enhancement.

How We Can Help

We've helped multiple financial services organisations prepare for DORA. Our services include DORA readiness assessments, Azure security architecture review, Microsoft Sentinel implementation, disaster recovery planning and testing, and third-party risk management. Get in touch to discuss how we can support your DORA compliance journey.