DORA Compliance for Cloud Infrastructure: AWS, Azure & GCP Guide 2026

The Digital Operational Resilience Act (DORA — EU 2022/2554) has been fully applicable since 17 January 2025 . If your institution runs on AWS, Azure, or GCP and operates in banking, insurance, investment management, or payment services, DORA's ICT requirements are now legally binding. As of 2026, supervisory authorities across the EU have begun active enforcement. This guide maps the regulation's infrastructure obligations to concrete cloud configuration checks. Who is affected by DORA? DORA applies to a broad range of financial entities operating in the EU: Credit institutions (banks) and payment institutions Investment firms and asset management companies Insurance and reinsurance undertakings Crypto-asset service providers (CASPs) ICT third-party service providers designated as "critical" by the ESAs Unlike NIS2, which uses employee and revenue thresholds, DORA applies by sector — not by size. A two-person fintech accepting payments falls in scope just as a large bank does. DORA IC