You certainly know that creating and testing data backups is a best practice for protecting your business and customers. But did you know data backups are also a requirement imposed by government regulators?
They are if your business is impacted by the Digital Operational Resilience Act (DORA) compliance regulation. DORA’s requirements include provisions related to backing up data, testing backups and planning effectively for disaster recovery.
Keep reading for details as we unpack everything you need to know about DORA compliance – including which organizations it covers, what the DORA requirements are, and how you can get started planning for DORA compliance.
What is DORA compliance?
DORA compliance is a set of requirements imposed by European Union regulators. Its main goal is to mitigate IT and cybersecurity risks in the financial services industry within the E.U.
The official text of the DORA regulation is available from the E.U.’s legislation database.
Which companies are impacted by DORA?
DORA applies to two sets of organizations:
- Banks and other financial services companies (such as credit agencies, account information service providers, pension funds, investment firms and virtually every other kind of finance-related business) that operate within the E.U.
- Companies that provide what DORA calls Information and Communication Technology (ICT) services or resources to the finance industry in the E.U. This category includes managed service providers (MSPs), cloud service providers, data center operators, IT suppliers, and most other types of IT businesses that serve banks and other financial institutions.
Importantly, DORA is not limited to finance companies and IT vendors that are headquartered in the E.U. It applies to any bank that operates in the E.U. or serves E.U. citizens, along with IT suppliers or vendors that serve the bank.
Purpose of DORA
The main purpose of DORA is to ensure that financial institutions, as well as third parties that provide digital services and resources to them, take adequate steps to address risks that could impact business operations. DORA does this by establishing a variety of requirements related to risk assessment, backup and recovery, cybersecurity readiness, and third-party risk management. (We’ll dive deeper into the DORA requirements in a bit.)
Adhering to the DORA compliance requirements is good for financial institutions and IT providers because it helps reduce the chances of risks that could harm their reputations or cost them money.
That said, the ultimate goal of DORA is to protect E.U. residents against the repercussions of cyberattacks, data loss, and disruption to financial services that could result from a lack of effective risk management in the financial industry. By making practices like data backup not just something that businesses should do, but something they are legally required to do, DORA raises the bar when it comes to cyber readiness and business continuity planning.
What does DORA cover? The key requirements
At a high level, DORA’s key requirements can be broken down into five basic areas:
#1. ICT risk management and governance
DORA requires companies to assess risks that could impact the reliability or security of their digital systems and resources, and then formulate a plan for addressing those risks.
DORA provides relatively wide latitude to businesses to determine exactly which governance policies and procedures they’ll adopt to manage risks – which makes sense, because risks vary widely. But the key requirement in this category is adopting a deliberate, systematic, and proactive approach to risk management. DORA pushes organizations to think ahead of time about how they might be breached, or how they could lose critical data, and make plans to guard against these risks.
#2. Incident response, management, and reporting
As part of DORA compliance, banks and the IT servicers who support them must have mechanisms in place for detecting, responding to, and mitigating incidents that impact the security or reliability of digital systems and resources. In addition, DORA requires timely reporting of incidents to authorities – meaning businesses can’t keep cybersecurity and data protection failures secret.
#3. Operational resilience testing
Businesses must regularly test their digital systems and resources by simulating attacks and failure scenarios. The goal of this DORA requirement is to help businesses identify risks that they may have overlooked during manual risk assessment.
#4. Third-party risk management
Under DORA, regulated entities must identify and manage risks within their software and IT supply chains, in addition to risks that affect resources that originate within the business itself. These requirements include practices like assessing the risk management practices of vendors and committing suppliers to contractual obligations related to cybersecurity and data protection.
The goal of this part of DORA is to help protect businesses against mistakes made on the part of suppliers and vendors – and to ensure that they can’t simply blame third parties when they experience a cyber attack or data loss.
#5. Sharing of information
DORA mandates that regulated businesses share information with one another about cybersecurity risks and other threats to the integrity of digital systems. In this way, DORA provides a mechanism for sharing threat intelligence data collectively and helping businesses learn from each other.
DORA timeline: When DORA goes into effect
DORA became an official regulation on January 16, 2023, but European Union authorities won’t begin enforcing it until January 17, 2025. Thus, if you’re not yet DORA-compliant, you still have a bit of time to prepare.
Penalties for DORA non-compliance
If your business doesn’t meet DORA compliance mandates by early 2025, it could face fines of up to 2 percent of your total annual revenue.
But that’s just one of the penalties for DORA non-compliance. One of the interesting aspects of DORA’s penalty structure is that, unlike many other regulations, DORA also allows regulators to impose personal fines – and in some cases even criminal penalties – on individuals whom authorities deem responsible for failing to uphold compliance mandates. Personal fines can be as high as one million euros.
The ability to impose liability on individuals, not just the companies they work for, is notable because it gives DORA teeth that many other compliance frameworks lack (NIS 2, another recently unveiled E.U. compliance framework, is the only other major regulation that comes to mind that includes personal liability provisions). In particular, it increases the pressure that managers and executives face to ensure their companies take DORA compliance seriously. Pointing the finger for compliance oversights at low-level employees, paying a fine on behalf of the company, and moving on might not suffice in the case of DORA violations.
Time will tell, of course, how DORA regulators will choose to approach penalties and how stiff they might be. But if other E.U. frameworks are any indication, no one should expect a slap on the wrist. The average fine for violations of GDPR, another prominent E.U. regulation, is north of 2 million euros.
What DORA means for backup and recovery
DORA also stands out because its data backup and recovery requirements (which are defined primarily in Article 12) are quite specific. Unlike most other regulations that include requirements related to data protection, DORA doesn’t just say that organizations need to implement some kind of data backup plan or take data protection seriously, while leaving businesses wide latitude to interpret the rules.
DORA goes deeper by, for example, requiring businesses to perform “regular” backups – and while it doesn’t define “regular” with precision, it’s a safe bet that regulators will expect organizations to be conducting routine, systematic backups. The ability to schedule automated backups on a daily, hourly, or even more frequent routine will be important for meeting this requirement. Incremental backup features (which allow you to copy only the data that has changed since the last backup, instead of making a brand-new copy of all data) can help, too, because they allow you to take backups frequently in an efficient way – so recurring backups won’t cost a fortune or place unacceptable strain on systems.
DORA likewise mandates that organizations “maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs.” This effectively means that, in many cases, organizations will need to prepare a backup environment that is distinct from their primary production environment.
The regulation also mentions calculating RTO and RPO, which directly impact how often organizations must perform backups. It doesn’t say exactly how organizations need to calculate these metrics, but by simply referencing them, DORA makes clear that having a detailed data backup and recovery plan, along with a backup schedule that aligns with that plan, is no longer just a best practice. It’s a regulatory mandate.
Best practices you can implement today for DORA-compliant backup and recovery
If you want to stay on the right side of DORA regulators, you have more than enough time to adopt the following backup and recovery best practices:
- Consider cross-cloud backup, which can help meet DORA’s requirements related to a secondary processing site.
- Consider cross-account backup, which may likewise assist with establishing secondary processing sites – and speeding recovery more generally – by making it possible to restore data to an environment controlled by a different account. This is especially useful in scenarios where the original account was hacked or is otherwise unusable.
- Implement cross-region backup, making it possible to copy backup data from one region into another, allowing you to recover even if one of your cloud provider’s regions fails. This can also help to meet DORA’s requirements related to a secondary processing site.
- Consider cross-cloud backup, yet another way to maximize recoverability by enabling backup data from one cloud to be recovered to a completely separate cloud platform.
- Enable backup alerts and notifications. In addition to helping your team discover problems that could disrupt backup routines, alerts and notifications provide an audit trail for proving to regulators that you have robust backup and recovery procedures in place.
- Perform regular recovery tests and drills. These help meet DORA compliance rules related to resilience testing, while also providing another way for your team to discover problems with its backup strategy.
These are all examples of backup and recovery practices that extend beyond the basics – which is exactly the direction in which DORA is pushing businesses by requiring that they do much more than simply create backups. Complying with DORA also necessitates practices like multi-site backup, deep visibility into backup operations, and regular backup and recovery testing.
And in case you didn’t notice, these advanced practices also all align with features available in N2W. If you need a backup and recovery platform that is ideally suited for DORA compliance, you’ll be hard-pressed to find a better solution. Stay tuned for our Part 2 with advanced steps on how to implement backup and recovery strategies to ensure you are DORA compliant.
Need a second opinion on ensuring you are compliant? Don’t hesitate to schedule a health check. Contact us at info@n2ws.com and in the meantime, spin up a free trial.
Chris Tozzi
Chris, who has worked as a journalist and Linux systems administrator, is a freelance writer specializing in areas such as DevOps, cybersecurity, cloud computing, and AI and machine learning. He is also an adviser for Fixate IO, an adjunct research adviser for IDC, and a professor of IT and society at a polytechnic university in upstate New York.
