Regulatory Resilience in the Cloud Era: Visibility, Control, and the Compliance Mandate for Financial Services

As we move through the second half of 2025, the digital transformation agenda in financial services is no longer measured by acceleration alone – it is defined by clarity, control, and compliance. The recent surge in AI adoption, SaaS expansion, and cloud-native development has introduced unprecedented operational complexity – as well as costly operational risks. Yet, regulatory frameworks are only now beginning to be or are about to be implemented in earnest.

For financial institutions operating across jurisdictions, the regulatory lens is intensifying. In Europe, the Digital Operational Resilience Act (DORA) is entering its enforcement phase, fundamentally reshaping the expectations for how technology risk in the financial services vertical is governed. Meanwhile, the UK’s upcoming Cyber Security and Resilience Bill signals a parallel shift, making it clear that operational resilience is not merely an IT concern, but a board-level accountability.

Both frameworks converge on one foundational requirement: visibility.

From Digital Growth to Digital Governance

Financial institutions have now spent years digitising their operations – but not always in a coordinated way. Fragmented ownership of IT assets, overlapping SaaS contracts, and siloed data have created environments rich in innovation but vulnerable to compliance risks.

DORA, which comes into full effect in January 2025, directly addresses this risk. It demands that financial entities – and their critical ICT third-party providers – maintain robust oversight over ICT risk, ensure traceability and auditability of systems, and demonstrate business continuity and recovery planning.

In practice, that means:

• Knowing where data resides and who is responsible for its lifecycle
• Mapping interdependencies between cloud services and critical business operations
• Documenting change management and incident response processes with regulatory-grade clarity
• Demonstrating the resilience posture of both internal systems and external partners, including SaaS providers

For third parties cloud services providers, such as Custodia, this is not a mere matter of SLA contractual updates. It is now central to client due diligence, procurement, and supervision conversations.

Visibility Is Not Optional – It’s Regulatory Capital

Cloud services that once promised flexibility are now being re-evaluated through the lens of controllability. The shift in DORA – and echoed in the UK’s policy developments – is that outsourced services do not mean outsourced accountability.

Financial entities must be able to:

• Inventory all ICT assets, including SaaS vendors and AI applications
• Classify services based on criticality
• Ensure that providers can demonstrate continuous monitoring, incident response, and contractual exit strategies

AI Governance: From Experimentation to Accountability

AI is accelerating transformation across the financial vertical, but it remains under-governed. Many financial firms are actively integrating AI into internal processes. AI is a transformative force across the financial vertical, and its rapid adoption has outpaced traditional governance models.

DORA, along with global supervisory momentum, is beginning to close that gap. Institutions are now being pushed to treat AI services with the same level of scrutiny applied to critical ICT systems: ensuring explainability, auditability, and lifecycle accountability.

What Comes Next: Cloud Maturity Defined by Control

The remainder of 2025 will be a test for how well organisations – and their vendors – can adapt to this new regulatory reality. For SaaS providers in the archiving, communication capture, and compliance technology space, the message is clear.

In this new phase, Custodia offers cloud maturity that is not about just scale – it’s about traceability, governance, and resilience, ensuring our clients can use CC1capabilities will not only meet rising regulatory expectations, but also navigate a complex and fast-changing risk landscape.