logo

DORA Made Cloud Resilience Mandatory

DORA is no longer “upcoming”, it has been applicable since 17 January 2025. In 2026, attention is shifting to supervisory scrutiny and third-party concentration risk. This post explains what that means in practice, and how MTD Cloud supports a resilient, auditable, Kubernetes-native operating model for regulated workloads.

Roxana Lungu

January 27, 2025

SuccessEfficiencyGuide

DORA Changed the Conversation

For years, cloud resilience was often treated as a purely technical topic: uptime, backups, incident response, a bit of DR. DORA changes the framing. It turns resilience and ICT risk into governance-level obligations for financial entities and, by extension, their technology suppliers. DORA applies from 17 January 2025, and by 2026 many organisations are moving from preparation to evidence: policies, controls, testing, and third-party oversight.

Concentration Risk is Now Explicitly on the Radar

A key operational reality for banks and insurers is dependency on large technology providers. Under DORA, EU regulators can designate certain providers as “critical” third-party providers for the financial sector and supervise them directly. In November 2025, EU regulators designated 19 technology companies, including major cloud providers, as “critical” for the EU financial sector.

Whether you run in hyperscalers, private cloud, or hybrid, the message is consistent: cloud outages and third-party failures become your problem, not just your vendor’s incident.

What “resilience” Means in Practice

Resilience isn’t a single control, it’s a set of measurable capabilities you can demonstrate:

  • Availability architecture, eliminate single failure domains;

  • Recoverability, known RTO/RPO targets, tested restoration, not just backups;

  • Operational readiness, patching, upgrades, access controls, logging, monitoring;

  • Testing discipline, regular resilience testing, including advanced testing where required;

  • Supplier governance, clarity on responsibilities, audit-ability, and exit options.

In 2025, the differentiator is less “we have a plan” and more “we can prove it works.”

Make Resilience a Platform Default

MTD Cloud is designed to make resilience and governance easier to adopt by standardising the foundation, so each team doesn’t reinvent operational controls.

1) SaaS Consistent, Production-Grade Baseline

A managed cluster baseline helps reduce drift between environments and projects. Standardised networking, access patterns, and observability make it far easier to demonstrate consistency across workloads, an important theme in regulated environments.

2) Multi-zone patterns to reduce failure domains

Resilient platforms avoid concentrating all capacity in one zone. Multi-zone worker distribution, pod spreading, and disruption budgets turn availability into something you can validate and monitor continuously.

3) GitOps/CI/CD and controlled change

Resilience isn’t only about infrastructure, it’s also about change management. A standard platform model supports repeatable deployments, versioned configuration, and safer rollouts (reducing incident probability).

4) Security and runtime isolation for sensitive workloads

For high-sensitivity services, MTD Cloud also supports confidential-compute aligned patterns on Kubernetes (e.g., Kata + CoCo foundations) that strengthen runtime boundaries, useful when resilience and security requirements converge.

5) A practical “DORA-ready” playbook for cloud workloads

If you’re mapping your cloud platform to DORA expectations, a pragmatic sequence is:

  • Identify critical services and define target SLOs (availability + recovery)

  • Reduce single points of failure (zones, storage, ingress, identity)

  • Operationalise recovery with routine restore tests

  • Instrument evidence: monitoring, audit logs, run-books, incident processes

  • Test resilience regularly and track remediation work

  • Clarify third-party responsibilities and define exit/portability options

Conclusion

DORA’s impact is that resilience and third-party risk aren’t optional engineering improvements, they’re part of how trust is earned and maintained in financial services. With regulators actively supervising “critical” providers and firms expected to demonstrate operational readiness, the winning approach is to treat resilience as a platform property, not a per-project afterthought.

MTD Cloud helps by standardising the Kubernetes foundation, enabling multi-zone patterns, improving operational consistency, and supporting stronger workload isolation where required, so your teams can move faster while making compliance and resilience easier to evidence.

If you want, I can also produce a shorter version (LinkedIn-length) and a “DORA checklist” sidebar you can place next to the article.

Stay Ahead of the Cloud Managed Services Curve

Join our newsletter for exclusive insights and updates on the latest Cloud and AI trends.