[{"data":1,"prerenderedAt":586},["ShallowReactive",2],{"navigation":3,"\u002Fen\u002Fblog\u002Fdora-compliance-devops":294,"\u002Fen\u002Fblog\u002Fdora-compliance-devops-surround":581},[4,8,12,16,20,24,28,32,36,40,44,48,52,56,60,64,68,72,76,80,84,88,92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,160,164,168,172,176,180,184,188,207,219,250,287],{"title":5,"path":6,"stem":7},"Build and Deploy a Modern Website in 5 Minutes","\u002Fen\u002Fblog\u002Fbuild-with-loveable","en\u002F3.blog\u002F1.build-with-loveable",{"title":9,"path":10,"stem":11},"The Vercel Alternative for the German Mittelstand: Sovereign Hosting on Hetzner with lowcloud","\u002Fen\u002Fblog\u002Fdigital-sovereignty-lowcloud-vs-vercel-b2b","en\u002F3.blog\u002F10.digital-sovereignty-lowcloud-vs-vercel-b2b",{"title":13,"path":14,"stem":15},"Cloud Sovereignty Framework: How the EU Is Finally Making Cloud Sovereignty Measurable","\u002Fen\u002Fblog\u002Fcloud-sovereignty-framework","en\u002F3.blog\u002F12.cloud-sovereignty-framework",{"title":17,"path":18,"stem":19},"Avoiding Cloud Vendor Lock-in: What Real Sovereignty Means Technically","\u002Fen\u002Fblog\u002Fcloud-vendor-lock-in","en\u002F3.blog\u002F13.cloud-vendor-lock-in",{"title":21,"path":22,"stem":23},"Digital Sovereignty with Kubernetes: When Is Open Source Truly Sovereign?","\u002Fen\u002Fblog\u002Fkubernetes-digital-sovereignty","en\u002F3.blog\u002F14.kubernetes-digital-sovereignty",{"title":25,"path":26,"stem":27},"What Is DevOps as a Service and When Does It Actually Make Sense?","\u002Fen\u002Fblog\u002Fdevops-as-a-service","en\u002F3.blog\u002F15.devops-as-a-service",{"title":29,"path":30,"stem":31},"Cloud Sovereignty Governance: Why This Topic Belongs in the Boardroom, Not the Server Room","\u002Fen\u002Fblog\u002Fcloud-sovereignty-governance","en\u002F3.blog\u002F16.cloud-sovereignty-governance",{"title":33,"path":34,"stem":35},"PaaS vs. DaaS: What","\u002Fen\u002Fblog\u002Fpaas-vs-daas","en\u002F3.blog\u002F17.paas-vs-daas",{"title":37,"path":38,"stem":39},"Sovereign Cloud: Can SaaS Really Maintain Control Over Your Data?","\u002Fen\u002Fblog\u002Fsovereign-cloud-saas-data-control","en\u002F3.blog\u002F18.sovereign-cloud-saas-data-control",{"title":41,"path":42,"stem":43},"DevOps vs. DevOps as a Service – Which One Fits Your Team?","\u002Fen\u002Fblog\u002Fdevops-vs-devops-as-a-service","en\u002F3.blog\u002F19.devops-vs-devops-as-a-service",{"title":45,"path":46,"stem":47},"Docker Fundamentals -  Understanding Container Virtualization","\u002Fen\u002Fblog\u002Fhow-docker-works","en\u002F3.blog\u002F2.how-docker-works",{"title":49,"path":50,"stem":51},"The 7 Biggest DevOps Problems in SMBs – And How to Fix Them","\u002Fen\u002Fblog\u002Fdevops-problems-smb","en\u002F3.blog\u002F20.devops-problems-smb",{"title":53,"path":54,"stem":55},"PostgreSQL Helm Chart: How to Deploy Postgres on Kubernetes","\u002Fen\u002Fblog\u002Fpostgresql-helm-chart-kubernetes","en\u002F3.blog\u002F21.postgresql-helm-chart-kubernetes",{"title":57,"path":58,"stem":59},"Platform Engineering vs. DevOps – What","\u002Fen\u002Fblog\u002Fplatform-engineering-vs-devops","en\u002F3.blog\u002F22.platform-engineering-vs-devops",{"title":61,"path":62,"stem":63},"Cloud Act vs. GDPR: The Risk for EU Businesses","\u002Fen\u002Fblog\u002Fcloud-act-vs-gdpr","en\u002F3.blog\u002F23.cloud-act-vs-gdpr",{"title":65,"path":66,"stem":67},"Cut IT Costs with Automation: The Biggest Lever","\u002Fen\u002Fblog\u002Freduce-it-costs-automation","en\u002F3.blog\u002F24.reduce-it-costs-automation",{"title":69,"path":70,"stem":71},"NIS2 Compliance for DevOps Teams: What You Need to Do","\u002Fen\u002Fblog\u002Fnis2-compliance-devops","en\u002F3.blog\u002F25.nis2-compliance-devops",{"title":73,"path":74,"stem":75},"Self-Hosted EU Alternatives: Host LibreOffice & More","\u002Fen\u002Fblog\u002Fself-hosted-eu-alternatives","en\u002F3.blog\u002F26.self-hosted-eu-alternatives",{"title":77,"path":78,"stem":79},"DORA Compliance for DevOps: What the EU Resilience Act Means","\u002Fen\u002Fblog\u002Fdora-compliance-devops","en\u002F3.blog\u002F27.dora-compliance-devops",{"title":81,"path":82,"stem":83},"Cloud TCO: Hidden Costs AWS, Azure & GCP Don't Show You","\u002Fen\u002Fblog\u002Fcloud-tco-hidden-costs","en\u002F3.blog\u002F28.cloud-tco-hidden-costs",{"title":85,"path":86,"stem":87},"Data Residency vs. Data Sovereignty: What Really Matters","\u002Fen\u002Fblog\u002Fdata-residency-vs-data-sovereignty","en\u002F3.blog\u002F29.data-residency-vs-data-sovereignty",{"title":89,"path":90,"stem":91},"Self-Host n8n on Hetzner: Complete Docker Setup Guide","\u002Fen\u002Fblog\u002Fself-hosted-n8n-on-hetzner","en\u002F3.blog\u002F3.self-hosted-n8n-on-hetzner",{"title":93,"path":94,"stem":95},"Manual Deployments: An Underestimated Risk for SMBs","\u002Fen\u002Fblog\u002Fmanual-deployment-risks","en\u002F3.blog\u002F30.manual-deployment-risks",{"title":97,"path":98,"stem":99},"DevOps Tool Sprawl: How It Happens and How to Stop It","\u002Fen\u002Fblog\u002Fdevops-tool-sprawl","en\u002F3.blog\u002F31.devops-tool-sprawl",{"title":101,"path":102,"stem":103},"Kubernetes Monitoring: Using Logs and Metrics Effectively","\u002Fen\u002Fblog\u002Fkubernetes-monitoring-logs-metrics","en\u002F3.blog\u002F32.kubernetes-monitoring-logs-metrics",{"title":105,"path":106,"stem":107},"OB7 Case Study: Website Deployment Without Infrastructure Overhead","\u002Fen\u002Fblog\u002Fob7-case-study-lowcloud-deployment","en\u002F3.blog\u002F33.ob7-case-study-lowcloud-deployment",{"title":109,"path":110,"stem":111},"DevOps in SMBs: Why Missing Roles Become a Real Risk","\u002Fen\u002Fblog\u002Fmissing-devops-roles-smb","en\u002F3.blog\u002F34.missing-devops-roles-smb",{"title":113,"path":114,"stem":115},"Simplify Kubernetes Configuration: The Path to Human-Readable Cloud","\u002Fen\u002Fblog\u002Fsimplify-kubernetes-configuration","en\u002F3.blog\u002F35.simplify-kubernetes-configuration",{"title":117,"path":118,"stem":119},"Collaborative DevOps: How Modern Teams Build Cloud Apps Together","\u002Fen\u002Fblog\u002Fcollaborative-devops-teams","en\u002F3.blog\u002F36.collaborative-devops-teams",{"title":121,"path":122,"stem":123},"Knowledge Documentation in DevOps Teams: How to Actually Reduce Your Bus Factor","\u002Fen\u002Fblog\u002Fdevops-knowledge-documentation-bus-factor","en\u002F3.blog\u002F37.devops-knowledge-documentation-bus-factor",{"title":125,"path":126,"stem":127},"What Is PaaS? Platform as a Service Explained","\u002Fen\u002Fblog\u002Fwhat-is-paas","en\u002F3.blog\u002F38.what-is-paas",{"title":129,"path":130,"stem":131},"EU AI Act Hosting: What Changes for AI Workload Operators","\u002Fen\u002Fblog\u002Feu-ai-act-hosting","en\u002F3.blog\u002F39.eu-ai-act-hosting",{"title":133,"path":134,"stem":135},"Docker Compose Tutorial: Managing Multi-Container Apps Made Easy","\u002Fen\u002Fblog\u002Fdocker-compose-for-beginners","en\u002F3.blog\u002F4.docker-compose-for-beginners",{"title":137,"path":138,"stem":139},"Full-Stack Developer Reality: What the Title Actually Means","\u002Fen\u002Fblog\u002Ffull-stack-developer-reality","en\u002F3.blog\u002F40.full-stack-developer-reality",{"title":141,"path":142,"stem":143},"Cloud Egress Fees Compared: AWS vs. Azure vs. GCP Pricing","\u002Fen\u002Fblog\u002Fcloud-egress-fees","en\u002F3.blog\u002F41.cloud-egress-fees",{"title":145,"path":146,"stem":147},"Bring Your Own Cloud: What the Model Means and Why It","\u002Fen\u002Fblog\u002Fbring-your-own-cloud","en\u002F3.blog\u002F42.bring-your-own-cloud",{"title":149,"path":150,"stem":151},"Zero-Config Kubernetes: Why Simplicity Wins","\u002Fen\u002Fblog\u002Fzero-config-kubernetes","en\u002F3.blog\u002F43.zero-config-kubernetes",{"title":153,"path":154,"stem":155},"Minimalist Cloud Architecture: Why Less Complexity Means More Stability","\u002Fen\u002Fblog\u002Fminimalist-cloud-architecture","en\u002F3.blog\u002F44.minimalist-cloud-architecture",{"title":157,"path":158,"stem":159},"Software Deployment for SMBs: How Small Teams Ship Faster","\u002Fen\u002Fblog\u002Fsmb-software-deployment","en\u002F3.blog\u002F45.smb-software-deployment",{"title":161,"path":162,"stem":163},"EU Data Act: What Businesses and DevOps Teams Need to Know","\u002Fen\u002Fblog\u002Feu-data-act-business-devops","en\u002F3.blog\u002F46.eu-data-act-business-devops",{"title":165,"path":166,"stem":167},"Data Governance Act: What SMBs and DevOps Teams Need to Know","\u002Fen\u002Fblog\u002Fdata-governance-act-devops-guide","en\u002F3.blog\u002F47.data-governance-act-devops-guide",{"title":169,"path":170,"stem":171},"Self-Host Docmost with Docker Compose and Traefik: Complete Guide","\u002Fen\u002Fblog\u002Fself-host-docmost-with-docker-and-traefik","en\u002F3.blog\u002F5.self-host-docmost-with-docker-and-traefik",{"title":173,"path":174,"stem":175},"What Is Kubernetes? A Practical Guide to Container Orchestration","\u002Fen\u002Fblog\u002Fwhat-is-kubernetes","en\u002F3.blog\u002F6.what-is-kubernetes",{"title":177,"path":178,"stem":179},"The Cloud Illusion: Why a Server Location in Germany Doesn’t Guarantee Digital Sovereignty","\u002Fen\u002Fblog\u002Fcloud-illusion-digital-sovereignty","en\u002F3.blog\u002F7.cloud-illusion-digital-sovereignty",{"title":181,"path":182,"stem":183},"S3-Compatible Object Storage: The Best Solutions at a Glance","\u002Fen\u002Fblog\u002Fs3-compatible-object-storage","en\u002F3.blog\u002F8.s3-compatible-object-storage",{"title":185,"path":186,"stem":187},"Deployment as a Bottleneck: When AI Codes Faster Than You Can Deploy","\u002Fen\u002Fblog\u002Fdeployment-bottleneck","en\u002F3.blog\u002F9.deployment-bottleneck",{"title":189,"path":190,"stem":191,"children":192,"icon":206},"Getting Started","\u002Fen\u002Fdocs\u002Fgetting-started","en\u002F1.docs\u002F1.getting-started\u002F1.index",[193,196,201],{"title":194,"path":190,"stem":191,"icon":195},"Introduction","i-lucide-house",{"title":197,"path":198,"stem":199,"icon":200},"Get Started","\u002Fen\u002Fdocs\u002Fgetting-started\u002Fget-started","en\u002F1.docs\u002F1.getting-started\u002F2.get-started","i-lucide-rocket",{"title":202,"path":203,"stem":204,"icon":205},"How It Works","\u002Fen\u002Fdocs\u002Fgetting-started\u002Fhow-it-works","en\u002F1.docs\u002F1.getting-started\u002F3.how-it-works","i-lucide-lightbulb",false,{"title":208,"path":209,"stem":210,"children":211,"icon":206},"Guides","\u002Fen\u002Fdocs\u002Fguides","en\u002F1.docs\u002F2.guides\u002F1.index",[212,214],{"title":208,"path":209,"stem":210,"icon":213},"i-lucide-book-open",{"title":215,"path":216,"stem":217,"icon":218},"Connect a Container Registry","\u002Fen\u002Fdocs\u002Fguides\u002Fcontainer-registries","en\u002F1.docs\u002F2.guides\u002F2.container-registries","i-lucide-container",{"title":220,"path":221,"stem":222,"children":223,"icon":206},"App Services","\u002Fen\u002Fdocs\u002Fapp-services","en\u002F1.docs\u002F3.app-services\u002F1.index",[224,225,230,235,240,245],{"title":220,"path":221,"stem":222,"icon":200},{"title":226,"path":227,"stem":228,"icon":229},"Build Settings","\u002Fen\u002Fdocs\u002Fapp-services\u002Fbuild-settings","en\u002F1.docs\u002F3.app-services\u002F2.build-settings","i-lucide-settings",{"title":231,"path":232,"stem":233,"icon":234},"Env Variables","\u002Fen\u002Fdocs\u002Fapp-services\u002Fenvironment-variables","en\u002F1.docs\u002F3.app-services\u002F3.environment-variables","i-lucide-key",{"title":236,"path":237,"stem":238,"icon":239},"Custom Domains","\u002Fen\u002Fdocs\u002Fapp-services\u002Fcustom-domains","en\u002F1.docs\u002F3.app-services\u002F4.custom-domains","i-lucide-globe",{"title":241,"path":242,"stem":243,"icon":244},"Health Checks","\u002Fen\u002Fdocs\u002Fapp-services\u002Fhealth-checks","en\u002F1.docs\u002F3.app-services\u002F5.health-checks","i-lucide-heart-pulse",{"title":246,"path":247,"stem":248,"icon":249},"Autoscaling","\u002Fen\u002Fdocs\u002Fapp-services\u002Fautoscaling","en\u002F1.docs\u002F3.app-services\u002F6.autoscaling","i-lucide-scaling",{"title":251,"path":252,"stem":253,"children":254,"icon":206},"Helm Releases","\u002Fen\u002Fdocs\u002Fhelm-releases","en\u002F1.docs\u002F4.helm-releases\u002F1.index",[255,257,262,267,272,277,282],{"title":251,"path":252,"stem":253,"icon":256},"i-lucide-package",{"title":258,"path":259,"stem":260,"icon":261},"Deploy PostgreSQL","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-postgresql","en\u002F1.docs\u002F4.helm-releases\u002F2.deploy-postgresql","i-lucide-database",{"title":263,"path":264,"stem":265,"icon":266},"Deploy Redis","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-redis","en\u002F1.docs\u002F4.helm-releases\u002F3.deploy-redis","i-lucide-zap",{"title":268,"path":269,"stem":270,"icon":271},"Deploy n8n","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-n8n","en\u002F1.docs\u002F4.helm-releases\u002F4.deploy-n8n","i-lucide-workflow",{"title":273,"path":274,"stem":275,"icon":276},"Deploy RustFS","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-rustfs","en\u002F1.docs\u002F4.helm-releases\u002F5.deploy-rustfs","i-lucide-hard-drive",{"title":278,"path":279,"stem":280,"icon":281},"Deploy OpenSearch","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-opensearch","en\u002F1.docs\u002F4.helm-releases\u002F6.deploy-opensearch","i-lucide-search",{"title":283,"path":284,"stem":285,"icon":286},"Deploy Keycloak","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-keycloak","en\u002F1.docs\u002F4.helm-releases\u002F7.deploy-keycloak","i-lucide-shield-check",{"title":288,"path":289,"stem":290,"children":291,"icon":206},"Glossary","\u002Fen\u002Fdocs\u002Fglossary","en\u002F1.docs\u002F5.glossary\u002F1.index",[292],{"title":288,"path":289,"stem":290,"icon":293},"i-lucide-book-a",{"id":295,"title":77,"authors":296,"badge":302,"body":303,"date":571,"description":572,"extension":573,"image":574,"lastUpdated":576,"meta":577,"navigation":578,"path":78,"published":578,"seo":579,"stem":79,"tags":302,"__hash__":580},"posts\u002Fen\u002F3.blog\u002F27.dora-compliance-devops.md",[297],{"name":298,"to":299,"avatar":300},"Thomas Ens","\u002Fabout\u002Fthomasens",{"src":301},"\u002Fimages\u002Fblog\u002Fauthors\u002Fthomas.jpeg",null,{"type":304,"value":305,"toc":549},"minimark",[306,311,315,320,331,334,345,349,352,374,377,381,384,389,396,400,403,407,410,414,417,421,424,428,431,435,438,441,455,458,462,465,468,472,475,478,482,497,504,507,511,518,521,524,528,531,534,537,540,546],[307,308,310],"h1",{"id":309},"dora-compliance-for-devops-what-the-digital-operational-resilience-act-actually-means","DORA Compliance for DevOps: What the Digital Operational Resilience Act Actually Means",[312,313,314],"p",{},"Since January 2025, DORA has been mandatory for all financial enterprises in the EU — and by extension, for their cloud infrastructure, deployment processes, and external IT service providers. If you think this is a topic only for compliance departments, think again: DORA imposes concrete technical requirements that directly affect day-to-day DevOps operations. This article breaks down what's behind it, who it applies to, and what needs to change in practice.",[316,317,319],"h2",{"id":318},"what-is-dora-and-why-now","What Is DORA and Why Now?",[312,321,322,323,330],{},"DORA stands for Digital Operational Resilience Act, ",[324,325,329],"a",{"href":326,"rel":327},"https:\u002F\u002Fwww.bafin.de\u002FDE\u002FAufsicht\u002FDORA\u002FDORA_node.html",[328],"nofollow","EU Regulation No. 2022\u002F2554",". It was adopted in late 2022, giving companies two years to prepare. Since January 17, 2025, it is binding.",[312,332,333],{},"The goal is clear: make the European financial sector more resilient against cyberattacks, IT outages, and operational disruptions. DORA doesn't prescribe specific technologies — instead, it defines requirements for processes, documentation, testing, and contracts. That sounds abstract, but it has very concrete implications for operations.",[312,335,336,337,340,341,344],{},"The regulatory framework complements existing requirements such as the EBA Guidelines on ICT risk and the ",[324,338,339],{"href":70},"NIS2 Directive",". For organizations deploying AI systems, the ",[324,342,343],{"href":130},"EU AI Act adds further obligations"," around documentation, logging, and risk classification. However, DORA is significantly more specific and applies directly as a regulation, meaning there is no room for national interpretation.",[316,346,348],{"id":347},"who-does-dora-apply-to","Who Does DORA Apply To?",[312,350,351],{},"The scope is broader than many initially assume. Clearly affected are:",[353,354,355,359,362,365,368,371],"ul",{},[356,357,358],"li",{},"Credit institutions and banks",[356,360,361],{},"Insurance companies and reinsurers",[356,363,364],{},"Payment service providers and e-money institutions",[356,366,367],{},"Investment firms and fund managers",[356,369,370],{},"Crypto-asset service providers (under MiCA)",[356,372,373],{},"Trading venues and central counterparties",[312,375,376],{},"Particularly relevant for cloud providers and ICT service providers: DORA also covers critical ICT third-party service providers. If you operate as a cloud provider, data center, or SaaS vendor delivering essential services to financial enterprises, you may be directly supervised by the European Supervisory Authorities (ESAs). This can also apply to Kubernetes platforms running core business processes.",[316,378,380],{"id":379},"the-five-core-obligations-at-a-glance","The Five Core Obligations at a Glance",[312,382,383],{},"DORA structures its requirements into five main areas.",[385,386,388],"h3",{"id":387},"ict-risk-management","ICT Risk Management",[312,390,391,392,395],{},"Financial enterprises must build and document a comprehensive ICT risk management framework. This includes identifying critical systems, assessing dependencies (both internal and external), and implementing protection and recovery measures. Crucially, responsibility lies with the management body — at ",[324,393,394],{"href":30},"board level, not just within IT",".",[385,397,399],{"id":398},"incident-reporting","Incident Reporting",[312,401,402],{},"Significant ICT-related incidents must be reported within defined timeframes. The initial notification must be submitted within four hours of classifying the incident, followed by an intermediate report after 72 hours, and a final report after one month. What qualifies as \"significant\" is defined by Regulatory Technical Standards (RTS) from the ESAs.",[385,404,406],{"id":405},"resilience-testing","Resilience Testing",[312,408,409],{},"All enterprises must conduct regular resilience tests — ranging from basic vulnerability assessments to TLPT (Threat-Led Penetration Testing) for systemically important institutions. TLPT is demanding: it simulates real attacker scenarios against production systems and must be performed by accredited test providers.",[385,411,413],{"id":412},"third-party-risk-management","Third-Party Risk Management",[312,415,416],{},"Contracts with ICT third-party service providers must include specific clauses: exit rights, audit and access rights for regulators, minimum standards for security and availability, and clear provisions on data location. If these clauses are missing, contracts must be amended — which is often cumbersome with large cloud providers.",[385,418,420],{"id":419},"information-sharing","Information Sharing",[312,422,423],{},"DORA actively promotes the voluntary exchange of threat intelligence between financial enterprises. This is less an operational obligation and more a regulatory framework for collective defense measures.",[316,425,427],{"id":426},"what-dora-concretely-means-for-devops","What DORA Concretely Means for DevOps",[312,429,430],{},"This is where it gets practical. DORA compliance for DevOps isn't an abstract concept — it changes how teams set up, document, and test their pipelines.",[385,432,434],{"id":433},"auditable-deployment-pipelines","Auditable Deployment Pipelines",[312,436,437],{},"DORA requires traceability. In concrete terms: every change to production-relevant systems must be documented, traceable, and demonstrable to supervisory authorities if needed.",[312,439,440],{},"For CI\u002FCD pipelines, this means:",[353,442,443,446,449,452],{},[356,444,445],{},"Complete logs of all deployments including timestamps, the person who triggered them, and the components changed",[356,447,448],{},"Mandatory code reviews and approval workflows for production deployments",[356,450,451],{},"Clear separation between test and production environments with documented handover processes",[356,453,454],{},"Change management following ITIL-like principles — even if the term sometimes causes discomfort in DevOps circles",[312,456,457],{},"This isn't rocket science, but it requires teams to deliberately align their toolchain for this purpose — not only when an auditor comes knocking.",[385,459,461],{"id":460},"recovery-objectives-rto-and-rpo-under-regulatory-pressure","Recovery Objectives: RTO and RPO Under Regulatory Pressure",[312,463,464],{},"DORA requires defined and tested RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for critical systems. The regulation doesn't prescribe specific values — but they must be documented, regularly tested, and demonstrably met.",[312,466,467],{},"For DevOps teams, this means disaster recovery scenarios can no longer exist only in concept papers. They must be regularly rehearsed, preferably in an automated fashion. Those running Kubernetes have structural advantages here: automatic failover, rolling updates, and declarative state management help make recovery processes reproducible.",[316,469,471],{"id":470},"concentration-risk-why-three-hyperscalers-are-a-problem","Concentration Risk: Why Three Hyperscalers Are a Problem",[312,473,474],{},"One of the most notable aspects of DORA is its explicit focus on concentration risk. Supervisory authorities acknowledge what has long been unspoken in the industry: when virtually the entire European financial infrastructure runs on the same two or three US-based cloud platforms, a systemic risk emerges.",[312,476,477],{},"If AWS goes down in a region — or becomes subject to a US government access request — hundreds of financial service providers are simultaneously affected. DORA doesn't demand an immediate move away from the major providers, but it does require companies to actively manage this risk: through diversification, exit scenarios, and an honest assessment of their dependencies.",[316,479,481],{"id":480},"cloud-in-germany-and-europe-dora-compliance-through-location","Cloud in Germany and Europe: DORA Compliance Through Location",[312,483,484,485,490,491,496],{},"One area where local and European cloud providers have a structural advantage is third-party risk management. DORA requires audit rights that are difficult to enforce with large hyperscalers in practice. ",[324,486,489],{"href":487,"rel":488},"https:\u002F\u002Faws.amazon.com\u002Fde\u002F",[328],"AWS"," and ",[324,492,495],{"href":493,"rel":494},"https:\u002F\u002Fazure.microsoft.com\u002Fde-de",[328],"Azure"," have standardized contracts — individual negotiations over access rights for regulators are the exception, not the rule.",[312,498,499,500,503],{},"With European providers operating out of German or European data centers, the situation is different. Contracts can be individually tailored. Audit access can be arranged in a concrete and legally sound manner. And physical control over data and infrastructure lies — unlike offerings under the ",[324,501,502],{"href":62},"CLOUD Act"," — exclusively within the European legal framework.",[312,505,506],{},"For companies that need to be DORA-compliant, this isn't a minor detail. It's a structural difference in risk assessment.",[316,508,510],{"id":509},"exit-strategies-as-a-mandatory-exercise","Exit Strategies as a Mandatory Exercise",[312,512,513,514,517],{},"DORA explicitly requires companies to develop and document exit strategies for their ICT service providers. This sounds like administrative overhead, but it's technically challenging: those deeply integrated into ",[324,515,516],{"href":18},"proprietary cloud services"," can't simply switch.",[312,519,520],{},"This is where container-based infrastructure pays off. Workloads running on standardized Kubernetes manifests are more portable than those built deeply on proprietary managed services from a single provider. This isn't an argument against using managed services per se — but it is an argument for treating portability as a design principle, not an afterthought.",[312,522,523],{},"In practical terms: those already using Helm charts, GitOps workflows, and cloud-agnostic storage abstractions today will have fewer problems actually executing a regulatorily required exit plan tomorrow.",[316,525,527],{"id":526},"conclusion-dora-is-not-a-bureaucracy-issue","Conclusion: DORA Is Not a Bureaucracy Issue",[312,529,530],{},"DORA forces the financial sector to do something many teams should have done long ago: seriously document, test, and diversify their IT resilience. The regulation doesn't create new effort from nothing — it makes gaps visible.",[312,532,533],{},"For DevOps teams, this is an opportunity. Those who make their deployment processes auditable, regularly test their recovery scenarios, and consciously manage their cloud dependencies are building better systems anyway. DORA now provides a regulatory framework for exactly that.",[312,535,536],{},"The real work lies in the details: contract clauses, documentation processes, testing frequencies, service provider selection. Those who approach this strategically — rather than just ticking off a compliance checklist — come out stronger.",[538,539],"hr",{},[312,541,542],{},[543,544,545],"strong",{},"Kubernetes-native European infrastructure for regulated environments",[312,547,548],{},"If you're looking for a cloud platform that structurally supports DORA requirements — with clear audit rights, a German data center, and full Kubernetes portability — the lowcloud platform provides a practical foundation. No lock-in mechanisms, no gray areas in data sovereignty.",{"title":550,"searchDepth":551,"depth":551,"links":552},"",2,[553,554,555,563,567,568,569,570],{"id":318,"depth":551,"text":319},{"id":347,"depth":551,"text":348},{"id":379,"depth":551,"text":380,"children":556},[557,559,560,561,562],{"id":387,"depth":558,"text":388},3,{"id":398,"depth":558,"text":399},{"id":405,"depth":558,"text":406},{"id":412,"depth":558,"text":413},{"id":419,"depth":558,"text":420},{"id":426,"depth":551,"text":427,"children":564},[565,566],{"id":433,"depth":558,"text":434},{"id":460,"depth":558,"text":461},{"id":470,"depth":551,"text":471},{"id":480,"depth":551,"text":481},{"id":509,"depth":551,"text":510},{"id":526,"depth":551,"text":527},"2026-03-18","DORA has been mandatory since January 2025. What the EU regulation changes for CI\u002FCD pipelines, cloud strategies, and DevOps teams in the financial sector.","md",{"src":575},"\u002Fimages\u002Fblog\u002Fdora-compliance-devops.jpg","2026-03-26",{},true,{"title":77,"description":572},"xa3KYxtnhjYuhzThA9ig0yZOqromikXRIIyg8HKO7Js",[582,584],{"title":73,"path":74,"stem":75,"description":583,"children":-1},"Run Nextcloud, Collabora, and other open-source tools on EU infrastructure without the ops overhead. A practical guide to sovereign self-hosting.",{"title":81,"path":82,"stem":83,"description":585,"children":-1},"Egress fees, support tiers, idle resources, engineering hours — the cost factors missing from every cloud pricing calculator. A complete TCO breakdown.",1775388341443]