DORA exit strategy for financial services: portable cloud architecture with Upsun

Financial institutions are required to prove they can operate safely in the cloud without becoming dependent on a single technology provider. What happens if your cloud provider fails, or you are required to move?

The question used to be theoretical. However, since January 2025, it has become a compliance requirement. 

The EU's Digital Operational Resilience Act (DORA) requires banks, insurers, and investment firms to demonstrate they can withstand disruptions to the cloud platforms they rely on, including maintaining a documented, tested exit strategy for each technology provider.

For many organizations, this exposes a hard truth: most modern cloud deployments are deeply tied to one provider. 

If a regulator asks how you would move off AWS tomorrow, "we would figure it out" is no longer an acceptable answer.

The vendor lock-in trap

Most cloud architectures are not portable. They are built on provider-specific services: AWS Lambda functions, Azure-native databases, and GCP-only networking configurations, creating deep, invisible dependencies. Over time, these dependencies accumulate.

Moving off a single cloud provider doesn't just mean changing a hosting account. It means re-architecting your application. 

For a regulated bank, this is risky. If a bank cannot move workloads away from a provider, then it cannot prove resilience against outages, regulatory action, or geopolitical disruption.

This is the concentration risk DORA was designed to address. 

In November 2025, EU supervisory authorities designated 19 ICT providers as critical under DORA, including AWS, Microsoft Azure, and Google Cloud. These providers now face direct EU-level oversight. 

For financial entities depending on them, the message is clear: prove you are not trapped.

Under DORA Article 28, financial entities must be able to exit contracts with ICT providers without disrupting services or violating regulatory requirements. That means institutions must:

• Maintain documented exit strategies
• Identify alternative providers and develop transition plans
• Plan data migration and transition processes
• Regularly test and review exit plans

Why multi-cloud alone is not a DORA exit strategy

When teams hear the term "exit strategy," the instinct is often to adopt a multi-cloud runtime: run applications simultaneously across multiple providers.

In practice, this approach is expensive and complex. 

Running production workloads across several clouds requires duplicated infrastructure, duplicated monitoring, and duplicated operational teams. Even worse, the application itself may still depend on provider-specific services. True portability remains out of reach.

What financial institutions really need is standardized portability: a deployment model where applications can be recreated on another infrastructure provider without redesigning the entire system.

Standardized portability: the Upsun approach

Upsun takes a different approach to this problem. 

Rather than building applications around a specific cloud provider, Upsun standardizes how applications are defined and deployed. The foundation of this approach is a single configuration file: .upsun/config.yaml.

This configuration defines the entire application environment:

• Runtime versions
• Services (databases, caches, search engines)
• Build and deploy processes
• Routes and networking
• Scheduled tasks

Your infrastructure definition isn't locked inside a cloud console or a proprietary orchestration layer. It's versioned, auditable, and portable.

Because the configuration is provider-agnostic, the application environment can be recreated on any supported infrastructure, including AWS, Azure, Google Cloud, IBM, and OVHCloud, without redesigning the deployment model.

If a regulator requires a move or a provider experiences a prolonged outage, the application can be restored or migrated to another supported provider using the same Upsun configuration and Git-based workflow.

What this means for DORA compliance

DORA Article 28 requires financial entities to maintain actionable exit strategies, while Article 30 sets out specific contractual provisions that must be included in agreements with ICT providers,  covering service continuity, termination rights, and data transition. 

Upsun already offers a DORA Contractual Addendum to help financial services customers meet these requirements.

But the technical side is just as important as the contractual side. DORA expects actionable exit plans, not theoretical. 

A portable, version-controlled infrastructure definition gives compliance teams something concrete to point to: here is the blueprint.

Combined with Upsun's existing compliance credentials, ISO 27001, SOC 2 Type 2, PCI DSS Level 1, HIPAA, and validation for IBM Cloud for Financial Services, Upsun is designed to support teams that operate in regulated environments.

Portability isn't the whole picture: migration requires planning

An honest exit strategy requires more than a portable config file. 

Moving a production application between cloud providers still requires a planned migration process: data transfer, integration retesting, DNS cutover, performance validation, and stakeholder sign-off. 

No platform eliminates that work entirely.

What Upsun eliminates is the infrastructure re-architecture. 

Your application code doesn't change. Your build pipeline doesn't change. Your service definitions don't change.

The migration effort focuses on the operational steps: data, testing, and cutover, not on rebuilding everything from scratch. That's a fundamentally different starting position than re-platforming from a provider-specific architecture.

A practical starting point

If you're a financial institution preparing for DORA's exit strategy requirements, start here:

1. Audit your current provider dependencies. Identify which services are provider-specific and which are portable.
2. Evaluate how your infrastructure is defined. Is it in code, or is it locked in a console?
3. Ask your platform provider a direct question: If we needed to move to a different cloud next quarter, what would that actually involve?

With Upsun, the answer starts with a file that's already in your Git repository.

Learn more

• DORA compliance: how Upsun supports financial services
• Faster, compliant delivery on regulated cloud with Upsun and IBM Cloud for Financial Services
• How B2B multi-cloud platforms simplify multi-cloud deployment