ABSTRACT Financial institutions turn to cloud services and entrust cloud providers with increasingly important tasks. The relationship between these two groups has largely existed outside regulatory parameters, but Digital Operational Resilience Act (DORA) is set to change that dynamic when it becomes applicable in 2025. This paper tackles two issues in this context. Firstly, it identifies the legal and practical challenges that EU financial institutions may encounter while adopting and utilising cloud services under the DORA regime. Challenges during the adoption stage include the selection of providers, decisions regarding the transfer of critical or important functions, and the choice of contractual clauses. In the usage stage, data security and financial stability emerge as the most critical concerns. One overarching difficulty is concentration risk. Secondly, the question of how to address these issues arises. Fortunately, identified challenges can be mitigated if financial institutions choose appropriate cloud deployment and service models.