In this guest blog post from Microsoft Marketplace partner Messageflow, Julia Matuszewska, AI & Technical Content Writer, Vercom, discusses how Vercom MessageFlow can aid financial institutions to reduce risk, better prepare for audits, and increase compliance by aligning with international regulations and best practices.
Digital customer communication is core to how financial institutions operate. Transaction alerts, one-time passwords, fraud warnings, crisis notifications, and regulatory disclosures are not optional add-ons — they are essential to customer trust and service continuity.
Since January 2025, the European Union’s Digital Operational Resilience Act (DORA) has changed how these systems are viewed. What used to be considered a supporting IT function is now, in many cases, a regulated digital service.
For the more than 22,000 EU financial institutions covered by DORA, this has major implications.
When customer communication becomes a regulatory issue
DORA introduces a harmonized framework for information communications technology (ICT) risk management, incident handling, and operational resilience. Its scope goes well beyond traditional infrastructure.
If a customer communication system supports a critical or important function, such as authentication, transaction execution, or legally required notifications, it falls under supervisory scrutiny.
In practice, this means:
- communication outages may become reportable incidents,
- security weaknesses can trigger regulatory concerns,
- and incomplete documentation can delay audits and supervisory reviews.
Customer communication is no longer peripheral. It is part of the institution’s operational resilience posture.
DORA’s shared responsibility across the ICT ecosystem
A key change introduced by DORA is its approach to third-party ICT providers.
Responsibility for digital resilience does not stop with internal systems. It extends to cloud platforms, communication service providers, and any external technology supporting regulated activities.
Even if a disruption occurs at provider level, the financial institution remains accountable. As a result, institutions must be able to demonstrate their ICT providers are:
- resilient and well-governed,
- transparent and auditable,
- and operating under clear security and continuity controls.
The role of cloud platforms under DORA
Cloud adoption remains central to modern financial services, but under DORA, cloud choices carry regulatory weight.
Beyond scalability and cost efficiency, institutions must consider EU regional availability and geographic redundancy, data residency and processing locations, contractual service-level commitments, audit and supervisory support, and third-party risk management capabilities.
Microsoft Azure as a DORA-relevant cloud environment
Microsoft Azure is commonly used by EU financial institutions as a cloud environment that supports regulatory and operational requirements. The platform operates in multiple regions within the European Union, enabling geographic redundancy and data residency configurations.
Azure provides contractual service-level commitments, security controls such as encryption and identity management, and tooling for logging, monitoring, and incident detection. These capabilities support DORA expectations related to ICT risk management, incident reporting, and third-party oversight.
The platform also offers compliance documentation and mappings institutions may use as part of their internal risk assessments and supervisory interactions.
Why the application layer still matters
Compliance at the infrastructure level does not automatically ensure resilience at the application or service layer. DORA also applies to ICT services that operate on top of cloud infrastructure, including customer communication platforms like MessageFlow from Vercom.
Where communication services support critical or important functions, institutions should expect providers to demonstrate:
- high availability and appropriate redundancy,
- transparency regarding data processing and storage locations,
- security monitoring and incident detection capabilities,
- and the ability to support audits and supervisory requests.
These requirements are particularly relevant for communications platform as a service (CpaaS) when used for authentication, alerts, and mandatory customer notifications.
MessageFlow: Communication designed with DORA in mind
MessageFlow is a CpaaS platform available via Microsoft Marketplace and used by regulated organizations for secure, reliable customer communication at scale. The platform supports over 79,000 brands across more than 180 countries and processes approximately 11.7 billion messages per month, maintaining 99.9% deliverability.
MessageFlow works with organizations in highly regulated sectors, including banking, financial services, insurance, retail, logistics, and e-commerce. Trusted by global brands such as Rossmann, IKEA, Victoria’s Secret, ING Bank, DPD, and Douglas, the platform enables enterprises to communicate with customers securely, efficiently, and in line with regulatory expectations.
The platform operates on infrastructure aligned with recognized international standards, including ISO/IEC 27001:2022, ISO/IEC 27018:2019, and ISO/IEC 22301:2019. All customer messaging data is processed and stored exclusively within the European Economic Area, supporting the GDPR and DORA requirements.
Business continuity measures include documented business impact analyses, disaster recovery and continuity plans, and regular testing. Security controls include continuous monitoring, penetration testing, and formalized incident management procedures. More detailed information on MessageFlow’s security and compliance approach is available on our security page.
Independent audit confirmation of DORA alignment
At the end of 2025, Vercom underwent an independent ICT security audit conducted by a banking auditor on behalf of a financial institution. The audit confirmed an above-average, exemplary level of maturity in information security management and digital operational resilience. Auditors verified alignment with DORA expectations and ISO/IEC 27001:2022 controls, and concluded the implemented mechanisms not only meet regulatory requirements but also reflect recognized best market practices.
Beyond technical security controls, the audit highlighted the quality, consistency, and completeness of documentation supporting supervisory review. The auditor confirmed Vercom has achieved a model level of compliance, noting its approach and solutions may serve as a benchmark for other organizations implementing DORA and ISO/IEC 27001 requirements.
What this means for Azure-based financial institutions
The MessageFlow audit results are particularly relevant for EU-based financial institutions, as well as organizations serving EU customers that are subject to EU regulatory requirements and operate within an Azure environment. For these teams, the key takeaway is simple: Customer communication can be handled through a service that fits naturally into the same regulatory, cloud, and procurement framework as their existing Azure setup.
Because MessageFlow is available directly through Microsoft Marketplace — including sending email via Azure with the MessageFlow Email API, SMS delivery from Azure, and the Mix & Match Email and SMS option — institutions can use a single platform for both critical messages, such as authentication and alerts, and non-critical communications. This unified approach makes communication services easier to document, review, and assess from a risk and compliance perspective.
Purchasing Mix & Match Email and SMS Communication by MessageFlow through Microsoft Marketplace also helps reduce day-to-day complexity. Vendor oversight becomes more straightforward, audit preparation requires less effort, and demonstrating the resilience of customer communication services to supervisors and auditors involves less operational work overall.
