DORA and data sovereignty: control over data in the financial sector

The financial sector runs on trust. Not just trust in money, transactions, and services, but also in the digital systems behind them. A disruption at a bank, insurer, pension fund, or asset manager directly affects customers, regulators, and the organization’s reputation.

At the same time, the sector is digitizing rapidly. Cloud platforms, data analysis, and AI are used to make processes more efficient, detect fraud faster, and serve customers better. This development offers many opportunities but also makes financial institutions more dependent on digital infrastructure, external technology partners, and the availability of data.

Why cloud and AI are attractive

Cloud technology helps financial institutions work more flexibly. Systems can scale up faster during peak loads, such as heavy payment traffic, trading activities, or cyber incidents. Cloud infrastructure also makes it easier to develop new digital services and use advanced analytical tools.

AI adds a new layer to this. Think of fraud detection, risk models, customer interaction, compliance monitoring, and analyzing large amounts of unstructured data. For organizations with a lot of data and high administrative pressure, this can yield significant efficiency gains.

who has control over the data, systems, and suppliers on which the organization runs?

DORA makes digital resilience mandatory

Since January 17, 2025, DORA has been applicable in the European Union. This Digital Operational Resilience Act requires financial institutions to have their digital resilience demonstrably in order. This involves not only cybersecurity but also ICT risk management, incident reporting, operational resilience, testing, and managing risks at external ICT suppliers.

This changes digital continuity from an IT topic into a boardroom issue. Financial institutions must be able to demonstrate that they are resistant to disruptions, can recover after incidents, and have control over the technology partners they depend on.

Especially the latter is important. Many financial institutions use cloud providers, software platforms, and specialized service providers. Under DORA, third-party risk comes more sharply into focus. In 2025, European regulators designated 19 large technology companies as critical ICT third parties for the financial sector, including AWS, Google Cloud, Microsoft, IBM, and Bloomberg. These parties can be directly audited by European regulators due to their role in critical financial processes.

The dilemma of dependency

Cloud and AI are therefore attractive, but they also increase dependency on external technology. This doesn’t have to be a problem as long as the risks are manageable. The challenge arises when institutions have insufficient insight into where data is located, who has access, what underlying infrastructure is used, and how quickly recovery is possible in the event of an incident.

Therefore, data sovereignty in the financial sector is not a theoretical subject, but rather concerns practical questions:

• Where are customer data, transaction data, and backups stored?
• Who can access it, including from support or management?
• How is data protected against ransomware or unwanted modification?
• How quickly can an institution recover after a failure or attack?
• How do you prevent a single supplier from becoming too great an operational risk?

DORA forces organizations to answer these questions concretely. Not just on paper, but also technically and operationally.

AI for efficiency, but not without governance

AI can help financial institutions work faster and make better decisions. Large language models can analyze documents, recognize signals, and support processes. But AI also brings risks. The quality of the output depends on the quality of the data. Models can make mistakes, reinforce biases, or present incorrect information as fact.

For financial institutions, this is extra sensitive. An error in a risk model, customer advice, or fraud detection system can have direct consequences for customers, compliance, and reputation. Therefore, AI must be deployed within clear frameworks. What data is used? Where is the model hosted? How are results checked? And how is it recorded which data, prompts, and decisions contributed to an outcome?

Here too lies the link with DORA. Digital resilience is not just about keeping systems up and running, but also about managing technology that becomes part of critical processes.

The role of Comex

Financial institutions want to innovate but cannot afford a loss of control. Comex helps organizations set up their data infrastructure securely, auditably, and future-proof.

With European and on-premise storage solutions, we support organizations in protecting critical data, strengthening backup and recovery, and limiting dependency on external platforms. In doing so, our solutions align with themes central to DORA: digital resilience, recovery capability, ICT risk management, and control over third parties.

Comex can also provide input on the use of local AI. Think of AI applications where sensitive financial data remains within the own environment and is not processed in public cloud models. This allows financial institutions to benefit from innovation and efficiency without compromising on compliance, control, and continuity.