The Digital Operational Resilience Act (DORA) and the revised Network and Information Security Directive (NIS2) represent a paradigm shift in how the EU regulates ICT risk. Together, they compel financial institutions and critical-sector operators to address concentration risk in cloud dependencies, fundamentally reshaping multi-cloud strategy across Europe.
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) was adopted on 14 December 2022 as part of the European Commission's Digital Finance Package. Unlike the earlier EBA Guidelines on ICT and security risk management, DORA is a directly applicable regulation — meaning it creates uniform, binding obligations across all 27 Member States without the need for national transposition. It became applicable on 17 January 2025.
DORA applies to a broad range of financial entities: credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and central counterparties, among others. Its five core pillars are:
The European Supervisory Authorities — the EBA, ESMA, and EIOPA — published Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) throughout 2024 to operationalise these requirements, including the final RTS on ICT risk management frameworks and the classification of major ICT incidents.
DORA's most structurally significant innovation is the critical ICT third-party provider (CTPP) oversight framework under Articles 31-44. The ESAs, through the Joint Committee, can designate ICT service providers — including cloud platforms — as "critical" based on criteria including the systemic impact of their failure, the degree of substitutability, and the number of financial entities relying on them. Once designated, a CTPP falls under direct oversight by a Lead Overseer appointed from among the ESAs.
The Lead Overseer has powers to conduct general investigations, on-site inspections, request information, and issue recommendations. Critically, if a CTPP fails to comply with recommendations, the Lead Overseer can require financial entities to partially or fully suspend use of the provider until compliance is restored. The oversight framework also applies to CTPPs established outside the EU, provided they serve EU financial entities — a clear extraterritorial reach aimed at US hyperscalers.
For cloud providers, this creates unprecedented regulatory exposure. AWS, Microsoft Azure, and Google Cloud collectively host critical workloads for thousands of European banks, insurers, and asset managers. Designation as a CTPP would subject them to ongoing regulatory engagement comparable to what they face from the US Federal Reserve or OCC. The ESAs were expected to publish the first list of designated CTPPs in the first half of 2025.
The CTPP framework also incentivises financial entities to diversify their cloud dependencies. If an institution's critical functions concentrate on a single provider later designated as a CTPP under remediation, the operational disruption from a forced suspension could be catastrophic. DORA therefore drives a strategic shift toward multi-cloud architectures — not merely as a best practice, but as a regulatory risk-mitigation imperative.
The NIS2 Directive (Directive (EU) 2022/2555) replaced the original 2016 NIS Directive and became applicable on 18 October 2024. While DORA is sector-specific to financial services, NIS2 applies a horizontal cybersecurity framework across the EU economy. The Directive classifies entities into two categories — essential entities (energy, transport, banking, health, water, digital infrastructure, public administration, space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, research) — covering an estimated 160,000 organisations across the EU.
For cybersecurity risk management, NIS2's Article 21 requires entities to adopt "appropriate and proportionate" technical, operational, and organisational measures, including:
The supply-chain security obligation is particularly consequential for cloud strategy. NIS2 effectively requires essential and important entities to assess and manage the cybersecurity risks posed by their cloud providers. Combined with NIS2's incident-reporting requirements (24-hour early warning, 72-hour notification, one-month final report), organisations must have full visibility into their cloud providers' security posture and incident-response capabilities.
NIS2 also significantly strengthened the enforcement regime. Member States must ensure maximum administrative fines of at least €10 million or 2% of total worldwide annual turnover for essential entities. Importantly, NIS2 introduces personal accountability: Article 32(6) allows Member States to hold management bodies personally liable for compliance failures, a provision designed to ensure cybersecurity is treated as a board-level issue.
The combined effect of DORA and NIS2 is to make multi-cloud and hybrid architectures a compliance-driven necessity rather than merely an architectural preference. Several specific regulatory requirements push in this direction:
Exit strategies: DORA Article 28(8) requires financial entities to develop and maintain exit plans for ICT third-party arrangements supporting critical or important functions. These plans must ensure that services can be transitioned to alternative providers or brought in-house without undue disruption. Achieving credible exit capability in practice requires workloads to be designed for portability — using containerisation, infrastructure-as-code, and avoiding deep lock-in to proprietary managed services.
Concentration risk: DORA Recital 29 and the RTS on ICT third-party risk explicitly address concentration risk. Financial entities must assess whether reliance on a single provider — or a small number of providers — creates unacceptable risk to operational continuity. Where concentration risk is identified, entities must take remediation measures, which in practice means distributing workloads across multiple providers.
Business continuity: Both DORA and NIS2 require robust business continuity and disaster recovery capabilities. For cloud-hosted workloads, this increasingly means the ability to failover to a different cloud provider or to on-premises infrastructure, not merely to a different availability zone within the same provider's network.
European organisations are responding. A 2024 survey by the European Banking Authority found that 72% of EU banks planned to adopt or expand multi-cloud strategies within 24 months, citing DORA compliance as the primary driver. Cloud providers themselves are adapting — Gaia-X and its data space ecosystems promote interoperability standards, while providers increasingly support Kubernetes-based workload portability. The regulatory message is clear: resilience requires redundancy, and redundancy requires diversification beyond a single cloud provider.
The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) is an EU regulation that became applicable on 17 January 2025. It imposes binding ICT risk management, incident reporting, resilience testing, and third-party oversight obligations on all EU financial entities including banks, insurers, and payment providers.
NIS2 (Directive EU 2022/2555) is the EU's updated cybersecurity directive applicable since 18 October 2024. It extends cybersecurity obligations to 18 critical and important sectors covering an estimated 160,000 organisations, with fines of up to 10 million euros or 2% of global turnover.
DORA does not mandate multi-cloud explicitly, but its requirements for exit strategies, concentration risk assessment, and business continuity effectively make multi-cloud architectures a compliance necessity. A 2024 EBA survey found 72% of EU banks planned to adopt multi-cloud strategies within 24 months, citing DORA as the primary driver.