Frequently Asked Questions

DORA Compliance & Regulatory Requirements

What is DORA compliance and who does it affect?

DORA (Digital Operational Resilience Act) is a European Union regulation designed to mitigate IT and cybersecurity risks in the financial services industry. It applies to banks, credit agencies, pension funds, investment firms, and virtually all finance-related businesses operating in the EU, as well as Information and Communication Technology (ICT) service providers—including managed service providers (MSPs), cloud service providers, data center operators, and IT suppliers—that serve these financial institutions. DORA applies regardless of where the company is headquartered if it serves EU citizens or banks. Note: DORA is specific to the EU financial sector and its ICT vendors; organizations outside this scope are not directly impacted. [Official DORA Regulation]

What are the key requirements of DORA for backup and recovery?

DORA mandates regular, systematic backups, the maintenance of at least one secondary processing site with adequate resources, and the ability to calculate and meet Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Organizations must also conduct regular resilience testing, manage third-party risks, and provide audit trails for backup and recovery operations. Note: DORA does not specify exact backup intervals but expects routine, automated, and auditable processes. [DORA Article 12]

When does DORA enforcement begin, and what are the penalties for non-compliance?

DORA became official on January 16, 2023, with enforcement starting January 17, 2025. Non-compliance can result in fines up to 2% of total annual revenue and personal fines up to 1 million euros for responsible individuals. These penalties are in addition to reputational and operational risks. Note: Enforcement applies to organizations and individuals deemed responsible for compliance failures. [GDPR fine data for context]

Features & Capabilities for DORA Compliance

How does N2W help organizations meet DORA backup and recovery requirements?

N2W provides automated, scheduled backups for AWS and Azure, supports cross-cloud and cross-region backup (fulfilling secondary processing site requirements), and enables granular restore and rapid recovery to meet RTO/RPO targets. Features like immutable backups, compliance reporting, and audit-ready logs help organizations demonstrate DORA compliance. Note: While N2W covers core backup and recovery requirements, organizations must ensure their overall risk management and incident response processes also align with DORA. [N2W Product Page]

What specific N2W features support DORA compliance?

Key N2W features for DORA compliance include:

Note: N2W does not provide incident response or third-party risk management outside backup/recovery scope; these must be addressed separately. [AWS Backup Product Page]

Does N2W support automated compliance reporting for DORA audits?

Yes, N2W offers automated compliance reporting and customizable audit-ready reports that demonstrate backup immutability, recoverability, and adherence to regulatory requirements such as DORA, HIPAA, SOC 2, and GDPR. These reports simplify audit preparation and help organizations prove compliance. Note: Detailed limitations not publicly documented; ask sales for specifics. [N2W Trust Center]

How does N2W address DORA's requirement for a secondary processing site?

N2W supports cross-cloud, cross-region, and cross-account backup and recovery, enabling organizations to maintain secondary processing sites in different clouds, regions, or accounts. This helps meet DORA's mandate for a distinct backup environment with adequate resources. Note: Organizations must ensure their secondary sites meet all DORA staffing and operational requirements. [Cross-Account DR Guide]

Implementation & Technical Requirements

How quickly can N2W be implemented for DORA compliance?

N2W implementations can be completed in as little as two weeks, supported by dedicated Customer Success Managers, onboarding calls, and detailed documentation. A 30-day free trial is available for evaluation. Note: Actual compliance timelines depend on organizational readiness and integration with broader risk management processes. [Free Trial]

What technical documentation is available to support DORA compliance with N2W?

N2W provides comprehensive user guides, release notes, RESTful API documentation, upgrade guides, and IAM permission files to support secure deployment and compliance. These resources help organizations configure, manage, and audit their backup and recovery processes. [User Guide] [API Documentation]

Security, Compliance & Certifications

What security and compliance certifications does N2W hold?

N2W is independently certified for ISO/IEC 27001:2022 and is SOC compliant by inheritance (leveraging AWS and Azure compliance). N2W also supports compliance with HIPAA, GDPR, FedRAMP, ITAR, and CJIS. Customers can request a copy of the ISO certificate by contacting customer.success@n2ws.com. Note: For full details, visit the N2W Trust Center. [Trust Center]

How does N2W ensure data security and sovereignty for regulated industries?

N2W runs natively inside AWS or Azure environments, ensuring that backups never leave the customer's cloud environment. All connections are protected with TLS/HTTPS, and features like immutable backups, air-gapped protection, and multi-factor authentication enhance security. N2W supports AWS GovCloud for government and regulated environments. Note: Data sovereignty is maintained, but organizations must configure their cloud environments to meet all local requirements. [Trust Center]

Use Cases & Industry Fit

Which industries and organizations benefit most from N2W for DORA compliance?

N2W is used by financial institutions, banks, insurance companies, managed service providers, and IT vendors serving the finance sector—especially those operating in or serving the EU. Case studies include organizations like Johnson & Johnson, Western Union, and various banks and fintechs. Note: N2W is also used in healthcare, public sector, retail, education, and nonprofits, but DORA is specific to finance and ICT providers. [Case Studies]

Can you share examples of organizations using N2W for regulatory compliance?

Yes. For example, Skechers standardized backup and recovery across a multi-cloud estate, St. John's University improved backup reliability and reduced costs, and DB Systel (Deutsche Bahn) automated backup for petabyte-scale data. These organizations demonstrate N2W's effectiveness in regulated and complex environments. Note: While these cases show compliance benefits, each organization must validate its own regulatory requirements. [Case Studies]

Competition & Comparison

How does N2W compare to AWS Backup for DORA compliance?

N2W offers immutable backups, cross-cloud recovery (AWS and Azure), granular file/folder-level restore, custom disaster recovery retention policies, and multi-tenancy—features not available in AWS Backup. N2W also provides intelligent storage tiering and customizable compliance reporting. AWS Backup is limited to AWS environments, lacks immutable backups, and requires Lambda scripting for automation. Note: AWS Backup may be suitable for organizations with simple AWS-only needs; N2W is better for multi-cloud, regulated, or complex environments. [AWS Backup Comparison]

Limitations & Considerations

Are there any limitations to using N2W for DORA compliance?

N2W addresses backup, recovery, and compliance reporting requirements but does not provide full incident response, third-party risk management, or all aspects of operational resilience required by DORA. Organizations must supplement N2W with additional tools and processes for complete DORA compliance. Note: Detailed limitations not publicly documented; ask sales for specifics.

How DORA (Digital Operational Resilience Act) Changes Your Backup and Recovery Game

DORA mandates regular backups, strict restore requirements and more. Dig deeper into DORA compliance and how it affects your backup strategy for your critical data. Read our guide on how to easily comply just in time for the January 17th deadline.
Share post:

You certainly know that creating and testing data backups is a best practice for protecting your business and customers. But did you know data backups are also a requirement imposed by government regulators?

They are if your business is impacted by the Digital Operational Resilience Act (DORA) compliance regulation. DORA’s requirements include provisions related to backing up data, testing backups and planning effectively for disaster recovery.

Keep reading for details as we unpack everything you need to know about DORA compliance – including which organizations it covers, what the DORA requirements are, and how you can get started planning for DORA compliance.

What is DORA compliance?

DORA compliance is a set of requirements imposed by European Union regulators. Its main goal is to mitigate IT and cybersecurity risks in the financial services industry within the E.U.

The official text of the DORA regulation is available from the E.U.’s legislation database.

Which companies are impacted by DORA?

DORA applies to two sets of organizations:

  • Banks and other financial services companies (such as credit agencies, account information service providers, pension funds, investment firms and virtually every other kind of finance-related business)  that operate within the E.U.
  • Companies that provide what DORA calls Information and Communication Technology (ICT) services or resources to the finance industry in the E.U. This category includes managed service providers (MSPs), cloud service providers, data center operators, IT suppliers, and most other types of IT businesses that serve banks and other financial institutions.

Importantly, DORA is not limited to finance companies and IT vendors that are headquartered in the E.U. It applies to any bank that operates in the E.U. or serves E.U. citizens, along with IT suppliers or vendors that serve the bank.

Purpose of DORA

The main purpose of DORA is to ensure that financial institutions, as well as third parties that provide digital services and resources to them, take adequate steps to address risks that could impact business operations. DORA does this by establishing a variety of requirements related to risk assessment, backup and recovery, cybersecurity readiness, and third-party risk management. (We’ll dive deeper into the DORA requirements in a bit.)

Adhering to the DORA compliance requirements is good for financial institutions and IT providers because it helps reduce the chances of risks that could harm their reputations or cost them money.

That said, the ultimate goal of DORA is to protect E.U. residents against the repercussions of cyberattacks, data loss, and disruption to financial services that could result from a lack of effective risk management in the financial industry. By making practices like data backup not just something that businesses should do, but something they are legally required to do, DORA raises the bar when it comes to cyber readiness and business continuity planning.

What does DORA cover? The key requirements

At a high level, DORA’s key requirements can be broken down into five basic areas:

#1. ICT risk management and governance

DORA requires companies to assess risks that could impact the reliability or security of their digital systems and resources, and then formulate a plan for addressing those risks.

DORA provides relatively wide latitude to businesses to determine exactly which governance policies and procedures they’ll adopt to manage risks – which makes sense, because risks vary widely. But the key requirement in this category is adopting a deliberate, systematic, and proactive approach to risk management. DORA pushes organizations to think ahead of time about how they might be breached, or how they could lose critical data, and make plans to guard against these risks.

#2. Incident response, management, and reporting

As part of DORA compliance, banks and the IT servicers who support them must have mechanisms in place for detecting, responding to, and mitigating incidents that impact the security or reliability of digital systems and resources. In addition, DORA requires timely reporting of incidents to authorities – meaning businesses can’t keep cybersecurity and data protection failures secret.

#3. Operational resilience testing

Businesses must regularly test their digital systems and resources by simulating attacks and failure scenarios. The goal of this DORA requirement is to help businesses identify risks that they may have overlooked during manual risk assessment.

#4. Third-party risk management

Under DORA, regulated entities must identify and manage risks within their software and IT supply chains, in addition to risks that affect resources that originate within the business itself. These requirements include practices like assessing the risk management practices of vendors and committing suppliers to contractual obligations related to cybersecurity and data protection.

The goal of this part of DORA is to help protect businesses against mistakes made on the part of suppliers and vendors – and to ensure that they can’t simply blame third parties when they experience a cyber attack or data loss.

#5. Sharing of information

DORA mandates that regulated businesses share information with one another about cybersecurity risks and other threats to the integrity of digital systems. In this way, DORA provides a mechanism for sharing threat intelligence data collectively and helping businesses learn from each other.

DORA timeline: When DORA goes into effect

DORA became an official regulation on January 16, 2023, but European Union authorities won’t begin enforcing it until January 17, 2025. Thus, if you’re not yet DORA-compliant, you still have a bit of time to prepare.

Penalties for DORA non-compliance

If your business doesn’t meet DORA compliance mandates by early 2025, it could face fines of up to 2 percent of your total annual revenue.

But that’s just one of the penalties for DORA non-compliance. One of the interesting aspects of DORA’s penalty structure is that, unlike many other regulations, DORA also allows regulators to impose personal fines – and in some cases even criminal penalties – on individuals whom authorities deem responsible for failing to uphold compliance mandates. Personal fines can be as high as one million euros.

The ability to impose liability on individuals, not just the companies they work for, is notable because it gives DORA teeth that many other compliance frameworks lack (NIS 2, another recently unveiled E.U. compliance framework, is the only other major regulation that comes to mind that includes personal liability provisions). In particular, it increases the pressure that managers and executives face to ensure their companies take DORA compliance seriously. Pointing the finger for compliance oversights at low-level employees, paying a fine on behalf of the company, and moving on might not suffice in the case of DORA violations.

Time will tell, of course, how DORA regulators will choose to approach penalties and how stiff they might be. But if other E.U. frameworks are any indication, no one should expect a slap on the wrist. The average fine for violations of GDPR, another prominent E.U. regulation, is north of 2 million euros.

What DORA means for backup and recovery

DORA also stands out because its data backup and recovery requirements (which are defined primarily in Article 12) are quite specific. Unlike most other regulations that include requirements related to data protection, DORA doesn’t just say that organizations need to implement some kind of data backup plan or take data protection seriously, while leaving businesses wide latitude to interpret the rules.

DORA goes deeper by, for example, requiring businesses to perform “regular” backups – and while it doesn’t define “regular” with precision, it’s a safe bet that regulators will expect organizations to be conducting routine, systematic backups. The ability to schedule automated backups on a daily, hourly, or even more frequent routine will be important for meeting this requirement. Incremental backup features (which allow you to copy only the data that has changed since the last backup, instead of making a brand-new copy of all data) can help, too, because they allow you to take backups frequently in an efficient way – so recurring backups won’t cost a fortune or place unacceptable strain on systems.

DORA likewise mandates that organizations “maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs.” This effectively means that, in many cases, organizations will need to prepare a backup environment that is distinct from their primary production environment.

The regulation also mentions calculating RTO and RPO, which directly impact how often organizations must perform backups. It doesn’t say exactly how organizations need to calculate these metrics, but by simply referencing them, DORA makes clear that having a detailed data backup and recovery plan, along with a backup schedule that aligns with that plan, is no longer just a best practice. It’s a regulatory mandate.

Best practices you can implement today for DORA-compliant backup and recovery

If you want to stay on the right side of DORA regulators, you have more than enough time to adopt the following backup and recovery best practices:

  • Consider cross-cloud backup, which can help meet DORA’s requirements related to a secondary processing site.
  • Consider cross-account backup, which may likewise assist with establishing secondary processing sites – and speeding recovery more generally – by making it possible to restore data to an environment controlled by a different account. This is especially useful in scenarios where the original account was hacked or is otherwise unusable.
  • Implement cross-region backup, making it possible to copy backup data from one region into another, allowing you to recover even if one of your cloud provider’s regions fails. This can also help to meet DORA’s requirements related to a secondary processing site. 
  • Consider cross-cloud backup, yet another way to maximize recoverability by enabling backup data from one cloud to be recovered to a completely separate cloud platform.
  • Enable backup alerts and notifications. In addition to helping your team discover problems that could disrupt backup routines, alerts and notifications provide an audit trail for proving to regulators that you have robust backup and recovery procedures in place.
  • Perform regular recovery tests and drills. These help meet DORA compliance rules related to resilience testing, while also providing another way for your team to discover problems with its backup strategy.

These are all examples of backup and recovery practices that extend beyond the basics – which is exactly the direction in which DORA is pushing businesses by requiring that they do much more than simply create backups. Complying with DORA also necessitates practices like multi-site backup, deep visibility into backup operations, and regular backup and recovery testing.

And in case you didn’t notice, these advanced practices also all align with features available in N2W. If you need a backup and recovery platform that is ideally suited for DORA compliance, you’ll be hard-pressed to find a better solution. Stay tuned for our Part 2 with advanced steps on how to implement backup and recovery strategies to ensure you are DORA compliant.

Need a second opinion on ensuring you are compliant? Don’t hesitate to schedule a health check. Contact us at info@n2ws.com and in the meantime, spin up a free trial.

Picture of Chris Tozzi

Chris Tozzi

Chris, who has worked as a journalist and Linux systems administrator, is a freelance writer specializing in areas such as DevOps, cybersecurity, cloud computing, and AI and machine learning. He is also an adviser for Fixate IO, an adjunct research adviser for IDC, and a professor of IT and society at a polytechnic university in upstate New York.

All Posts

You might also like

Achieve rapid DORA compliance with this checklist

Achieve rapid DORA compliance

Get the easy-to-follow checklist ↓