Europe’s financial and wider cloud ecosystem is moving from policy design to proof of execution, and that shift is sharpening pressure on providers to demonstrate that resilience is real rather than merely promised.
ALSO Group argues that the January 2025 start of the EU’s Digital Operational Resilience Act was never meant to be treated as a finish line. Instead, 2026 is emerging as the year when financial firms and their suppliers must show they can withstand disruption in...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
practice, not just document their intentions. The company says the regulatory mood has changed from paper compliance to live evidence, with supervisors increasingly expecting organisations to prove continuity under stress.
That warning lands against a broader European backdrop. The European Banking Authority says DORA creates a common framework for digital operational resilience across financial entities, while also bringing critical third-party ICT providers into supervisory scope. In parallel, IBM notes that cloud service providers may be affected both indirectly, through changes to security and resilience controls, and directly if they are designated as critical providers. That is a sign of how far the regulation reaches into the technology supply chain.
ALSO’s Mark Appleton says the new environment makes resilience a commercial as well as a regulatory issue. In his view, cloud partners can no longer treat failover, incident response and vendor governance as back-office concerns. Instead, he argues that customers will increasingly favour suppliers able to show how systems behave when a major cloud region fails or a key software provider is compromised.
The stakes are high because Europe’s digital infrastructure is tightly interlinked. A recent Boston Consulting Group report warned of a widening resilience gap, saying that a major outage could spread quickly across payments, financial stability and even emergency response systems. That concern is echoed by the regulatory push around DORA, which requires firms to map ICT dependencies, manage third-party risk and test their ability to recover from disruption.
The compliance burden is becoming more operationally demanding as well. German institutions, for example, are facing reporting obligations for their ICT third-party registers in 2026, including detailed disclosure of contracts, hosting locations and subcontractors. At the same time, the European Supervisory Authorities have already begun naming critical ICT providers for direct oversight, underscoring that concentration risk and dependency mapping are now central issues for regulated firms.
For ALSO, the answer lies in turning resilience into something continuous and measurable. That means automated incident reporting, stronger exit planning, regular stress testing and more disciplined oversight of suppliers. The company also points to cloud marketplaces and platform-level monitoring as a way to collect configuration, identity and activity data across multi-vendor environments, making resilience less of an annual audit exercise and more of a live operating standard.
As Appleton sees it, the market is shifting in favour of partners that can provide evidence every day, not just reassurance once a year. In a more interconnected and more tightly supervised European market, he argues, operational readiness is becoming part of the product.
Source: Noah Wire Services
