Glossary · Cloud (regulated banking)
Cloud and sovereign cloud for regulated banking — DORA and exit
Moving critical workloads to the cloud in banking or insurance is not only a technical decision. DORA (EU Regulation 2022/2554) requires operational resilience, a documented exit strategy and control of concentration risk over critical ICT third-party providers. Sovereign cloud and hybrid cloud also answer data localisation and digital sovereignty, while Kubernetes provides the portability that makes reversibility credible. Cloud burst lets institutions absorb compute peaks (HPC) without over-provisioning on-premise.
Full content in Spanish. This English entry is a concise summary. The complete reference (including comparative tables, official sources and Vermont Solutions context) is available in the Spanish version: Read the full entry in Spanish →
Frequently asked
Can a bank run fully on public cloud under DORA?
DORA does not ban public cloud, but requires managing it as a potentially critical third-party ICT service: registry of arrangements, risk assessment, contractual clauses, a documented exit strategy and concentration-risk control. In practice many institutions adopt a hybrid, multi-cloud model to avoid depending on a single provider and to demonstrate reversibility to the supervisor.
What is sovereign cloud?
Sovereign cloud is a cloud offering designed to ensure data and its control remain under a specific jurisdiction —usually the EU— and isolated from foreign access, with local operation and governance. It answers requirements of data localisation, protection from extraterritorial legislation and digital sovereignty, increasingly present in European banking, insurance and the public sector.
What are exit strategy and reversibility?
It is the documented plan to leave a cloud provider —planned or after a severe incident— without disrupting critical functions. DORA, in Article 28, requires it for critical ICT providers. Technical reversibility —moving data and workloads to another provider or on-premise— relies on open formats, containers and Kubernetes orchestration to reduce coupling.
What is cloud burst and how does it help HPC?
Cloud burst keeps the base compute load on owned infrastructure and overflows only the peaks —month-end risk runs, a one-off regulatory scenario— to the cloud. In HPC workloads (Monte Carlo, FRTB, XVA, actuarial calculation) it avoids over-provisioning the on-premise grid for a rare peak, optimising cost without losing capacity.
English summary maintained by Vermont Solutions. Citable with attribution. Regulation evolves — verify the latest version at the official source linked in the Spanish entry. Does not constitute legal advice.