Q&A: Alfa on meeting rising regulatory demands on cloud resilience

Wed, Sep 10, 2025, 10:43 AM 7 min read

In this Q&A, Leasing Life Editor Alejandro Gonzalez (AG) speaks with Alex Barnes (AB), Director of Cloud Hosting at Alfa, about how shifting regulatory demands and increasingly sophisticated threats are reshaping backup strategies.

Under EU’s DORA and the EBA/PRA guidelines, banks and lenders must treat outsourced digital services as integral parts of their operational resilience, enforcing a full ICT risk-management cycle, from rigorous pre-outsourcing due diligence and detailed contractual SLAs covering data security, audit rights and exit plans, to continuous monitoring, periodic reviews and clear incident-reporting protocols. The rules also mandate regular scenario-based resilience testing, including threat-led penetration exercises, and for critical providers direct supervisory oversight to ensure third-party systems can withstand disruption without compromising business continuity or compliance.

Barnes explains how Alfa Cloud’s Data Guardian architecture — with its three-layer approach to storage and recovery — is designed to meet these pressures.

AB: There’s definitely an ongoing evolution of ever-more sophisticated cyber threats - not a day goes by without hearing of a new ransomware or attack, often at supply chains.

On top of that, increased regulatory focus - such as DORA or EBA/PRA regulations - means that outsourcing to a SaaS provider doesn't remove the obligations for continued service obligations for our customers.

We’ve always architected and operated Alfa Cloud, such that we could automatically rebuild any customer’s isolated infrastructure in a few hours, so we recognised that by evolving our backup strategy, we could provide resilience against almost any reasonably foreseeable incident. We decided to make this part of our standard platform at no additional cost to our customers because we consider this to be a critical part of incident preparedness.

AB: Our overall strategy, of which Data Guardian is a key component, is based on considering the worst-case outcomes: What if an attacker was somehow authenticated and inside our network via a phishing attack? What if there was a significant terrorist event or other outage in a particular region? What if the primary cloud platform had an extended, multi-regional outage?