What Happened
Azure Front Door outage (29 October 2025)
Microsoft confirmed that an inadvertent configuration change in Azure Front Door caused latency, timeouts, and access issues across multiple Azure services and some customer applications. Microsoft blocked further changes and rolled back to a stable configuration, with service restored the same day.
AWS DynamoDB outage (19–20 October 2025)
A separate fault in AWS DynamoDB’s DNS management removed key endpoint records, so dependent services could no longer connect. This triggered knock-on issues across compute, automation, and analytics services and took around 15 hours to fully recover, illustrating how tightly coupled hyperscale cloud platforms are.
The Common Lesson
Although Azure’s control-plane misconfiguration and AWS’s DynamoDB DNS failure were technically unrelated, both demonstrate how a single internal process fault within a hyperscale provider can ripple through critical infrastructure layers leading to system-wide service impact.
These events are a stark reminder of why regulators are doubling down on ICT concentration risk, dependency mapping, and resilience testing under DORA, PRA SS1/23, and EBA Guidelines.
Regulatory Context: DORA, PRA, and EBA Expectations
The Digital Operational Resilience Act (DORA), alongside PRA SS1/23 and EBA Outsourcing Guidelines, requires firms to demonstrate that ICT service providers (including cloud partners) are resilient, monitored, and replaceable.
So, what should regulated firms take away from these incidents?
- Third-Party Dependency Management
- Incidents across multiple hyperscalers confirm that dependency risk is sector-wide, not provider-specific.
- Firms must maintain comprehensive cross-provider dependency maps to evidence control and recovery assurance.
- Resilience Testing and Business Continuity
- DORA Articles 26–27 require severe-but-plausible scenario testing.
- Cloud control-plane and regional routing failures — such as Azure Front Door and AWS DNS — should now be explicitly tested.
- Governance and Incident Reporting
- Under DORA and PRA rules, firms must report major ICT incidents within defined timelines.
- Provider transparency and notification speed must align with regulatory reporting obligations and internal escalation procedures.
Our Recommendations for Financial Institutions
1. Strengthen Regulatory Readiness
- Review DORA, PRA SS1/23, and FCA operational resilience expectations for third-party and cloud risk management.
- Assess exposure across Cloud regions to avoid single-region or single-provider concentration.
- Update resilience testing schedules to include Third-Party Cloud failure scenarios.
2. Map Risks Against Key Cloud Dependencies
- Build a cross-service dependency map identifying critical components, data flows, and provider interconnections.
- Evaluate multi-provider concentration and substitution risk for critical workloads.
- Conduct impact assessments for regional or platform-level outages to inform continuity planning.
3. Build Operational Resilience by Design
- Implement multi-region and multi-cloud failover strategies for material business services.
- Integrate resilience metrics and DNS-level monitoring into enterprise dashboards.
- Rehearse cloud-outage response procedures jointly across technology, risk, and compliance functions.
4. Strengthen Strategic and Board Oversight
- Engage boards and senior management to review cloud concentration exposure, outsourcing oversight, and risk appetite.
- Benchmark the firm’s resilience posture and third-party oversight against peers and supervisory expectations.
- Ensure board-level attestation of resilience testing outcomes and dependency-management frameworks.
How Delta Capita Can Help
Delivering DORA-Ready Resilience Through Expertise and Technology
Delta Capita helps financial institutions strengthen operational resilience and achieve compliance under DORA, PRA SS1/23, and EBA Outsourcing Guidelines.
Our model combines regulatory expertise with technology-enabled delivery, enabling firms to automate assurance, enhance oversight, and evidence compliance efficiently.
Technology-Enabled Resilience
Delta Capita leverages a suite of regulatory and operational resilience accelerators to help clients embed control and assurance into their operating models. Our technology-led approach enables firms to:
- Digitise and map critical processes, risks, and dependencies across business services.
- Automate oversight dashboards and regulatory self-assessments to evidence compliance maturity.
- Strengthen third-party risk management through a dedicated platform providing end-to-end visibility of supplier relationships and critical service dependencies.
- Conduct scenario testing and resilience monitoring aligned to regulatory expectations.
Together, these capabilities deliver technology-enabled assurance, turning complex regulatory requirements into structured, repeatable, and measurable outcomes.
We recently supported a global financial institution in delivering a large-scale operational resilience and regulatory remediation programme, closing audit findings, implementing enhanced governance, and embedding a regulator-ready compliance framework.
🔗 Read the full case study here.
Building on this experience, we offer a three-phase engagement model to help firms accelerate readiness for DORA and related resilience regulations:
1. Diagnostic – Assess Current State
Dependency mapping, DORA readiness review, and resilience gap analysis.
2. Design – Build the Framework
Resilience and testing strategy, control digitalisation, and operational playbook development.
3. Delivery – Implement and Embed
Execution support, resilience testing coordination, MI and regulatory reporting, and continuous assurance enablement.
Conclusion
The Azure and AWS outages demonstrate how unrelated technical faults can produce the same result: a ripple effect through critical cloud services and business operations.
For financial institutions, these events validate regulators’ focus on ICT concentration, third-party risk, and operational resilience. True resilience is not just about bouncing back - it’s about knowing your dependencies, testing your limits, and staying ahead of the next disruption.
With DORA and UK operational resilience standards setting the benchmark, Delta Capita helps clients translate regulation into readiness by combining regulatory insight, data, and technology to deliver lasting operational resilience.
Sources:
.jpg)
