--- title: "Banking IT Regulation and Cloud: What Banks Need to Know About Data Storage Compliance" date: 2026-02-26T15:45:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/bait-cloud-banken" section: "Entries: Articles" --- ### 1. The Regulatory Layers: DORA, EBA Guidelines, National Rules [\#](#1-the-regulatory-layers-dora-eba-guidelines-national-rules "1. The Regulatory Layers: DORA, EBA Guidelines, National Rules") #### DORA: The Directly Applicable EU Layer [\#](#dora-the-directly-applicable-eu-layer "DORA: The Directly Applicable EU Layer") DORA applies to credit institutions, payment and e‑money institutions, investment firms, insurers, and further financial entities across the EU. For data storage and cloud, the central provisions are: - **Art. 9 and 12:** protection of ICT systems, documented backup policies, tested recovery procedures, isolated backup environments - **Art. 28 to 30:** a register of all ICT third-party providers, risk assessment before contracting, mandatory contract clauses, and documented exit strategies for services supporting critical or important functions #### EBA Guidelines on Outsourcing Arrangements [\#](#eba-guidelines-on-outsourcing-arrangements "EBA Guidelines on Outsourcing Arrangements") The EBA guidelines define how supervisors across the EU expect banks to govern outsourcing, including cloud outsourcing: pre-outsourcing analysis, an outsourcing register, mandatory contractual content, audit and access rights, and exit planning. DORA absorbs and sharpens much of this for ICT services; the guidelines remain the reference for the broader outsourcing governance. #### National Rules: BAIT as the German Example [\#](#national-rules-bait-as-the-german-example "National Rules: BAIT as the German Example") Germany’s BAIT circular spelled out BaFin’s IT expectations for credit institutions in detail: IT strategy, IT operations, data backup, outsourcing, emergency management. Since DORA became applicable in January 2025, it has superseded much of BAIT’s substance; BaFin has aligned its national framework with DORA, and the remaining national requirements play a supplementary role. Other member states followed the same pattern with their national IT circulars. For this article, the German requirements serve as a concrete example of how the EU framework translates into supervisory practice. The logic applies EU-wide. --- ### 2. What the Framework Concretely Requires for Data Backup [\#](#2-what-the-framework-concretely-requires-for-data-backup "2. What the Framework Concretely Requires for Data Backup") #### Data Backup as a Supervisory Obligation [\#](#data-backup-as-a-supervisory-obligation "Data Backup as a Supervisory Obligation") DORA Art. 12 and the national supervisory frameworks oblige credit institutions to ensure regular and complete data backups. The requirements include: - Regular backups of all business-critical data - Proof of restorability through regular restore tests - Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) - Protection of backup copies against unauthorised access and manipulation - Isolation of the backup environment from the production network The rules do not prescribe rigid minimum frequencies. The institution’s risk profile is the determining factor: a critical payment system requires different backup intervals than an archive for loan documents. #### Emergency Management: Recovery as a Mandatory Requirement [\#](#emergency-management-recovery-as-a-mandatory-requirement "Emergency Management: Recovery as a Mandatory Requirement") Supervisors require a demonstrated emergency plan that explicitly covers the restoration of ICT systems and data. Specifically, the institution must: - Have rehearsed scenarios for the total failure of critical systems - Document and regularly test recovery processes - Ensure that backups remain available even in the event of an attack (ransomware, sabotage) A backup that cannot be restored in an emergency does not satisfy the supervisor, even if it technically exists. --- ### 3. Cloud Backup as a Critical ICT Arrangement [\#](#3-cloud-backup-as-a-critical-ict-arrangement "3. Cloud Backup as a Critical ICT Arrangement") #### When Is Cloud Backup in Scope? [\#](#when-is-cloud-backup-in-scope "When Is Cloud Backup in Scope?") Outsourcing data backup to a public cloud is an ICT third-party arrangement under DORA and an outsourcing under the EBA guidelines. The institution must assess before contracting whether the arrangement supports a critical or important function. #### Why Cloud Backup Usually Qualifies as Critical or Important [\#](#why-cloud-backup-usually-qualifies-as-critical-or-important "Why Cloud Backup Usually Qualifies as Critical or Important") Backup of business-critical data is itself a core regulatory obligation. If the cloud provider fails (technical disruption, insolvency, or regulatory order), the institution loses access to its backup copies. In supervisory practice, cloud backup of critical data therefore regularly qualifies as supporting a critical or important function, with the full set of obligations attached. #### The Institution’s Control Obligations [\#](#the-institutions-control-obligations "The Institution's Control Obligations") Even after outsourcing, the credit institution remains fully responsible. The framework requires: - Active third-party management with the institution’s own control mechanisms - Regular audits of the service provider (audit rights must be contractually agreed) - Proof that the institution can exercise control over outsourced processes at any time - Documentation of all arrangements in the ICT third-party register (DORA Art. 28) or outsourcing register In practice: standard hyperscaler contracts do not automatically grant banks these audit rights. Individual contract negotiations are necessary, and experience shows they are demanding. --- ### 4. Requirements for the Contract [\#](#4-requirements-for-the-contract "4. Requirements for the Contract") #### What the Contract Must Contain [\#](#what-the-contract-must-contain "What the Contract Must Contain") For arrangements supporting critical or important functions, DORA Art. 30 and the EBA guidelines prescribe detailed minimum content. The contract must at minimum address: - **Service description:** exact specification of backed-up data, storage locations, timeframes - **Data access:** guaranteed access by the institution to its own data at all times, including in insolvency scenarios - **Audit rights:** right of the institution and the competent authority to audit the provider directly or through third parties, including on-site - **Data deletion:** guaranteed deletion of data upon contract termination - **Sub-contracting:** transparency regarding sub-contractors, restrictions and notification requirements - **Data storage location:** specification of the countries in which data is processed and stored - **Incident notification:** provider obligations to report ICT incidents affecting the institution - **Exit provisions:** cooperation obligations during the exit phase, including migration support A cloud backup contract that does not contain these elements is non-compliant, regardless of whether the provider is a major hyperscaler. #### The Storage Location: EU Is Not Always Enough [\#](#the-storage-location-eu-is-not-always-enough "The Storage Location: EU Is Not Always Enough") Neither DORA nor the national rules contain a blanket requirement to store data in the EU. However, banks are obligated to assess the data access possibilities of foreign authorities. The US CLOUD Act gives US authorities access to data held by US companies under certain circumstances, even if that data is physically stored in the EU. This tension is not fully resolved from a regulatory standpoint. Until it is, the prudent course is to use exclusively European providers without a US parent company, or to operate data storage on-premises. --- ### 5. Exit Strategy as a Regulatory Obligation [\#](#5-exit-strategy-as-a-regulatory-obligation "5. Exit Strategy as a Regulatory Obligation") #### Why Cloud Lock-In Is a Compliance Problem [\#](#why-cloud-lock-in-is-a-compliance-problem "Why Cloud Lock-In Is a Compliance Problem") DORA Art. 28(8) and the EBA guidelines explicitly require an exit strategy for critical or important arrangements. The institution must be capable of performing the service (here, backup) itself again, or switching to a different provider, within a reasonable timeframe. Cloud backup creates structural lock-in: - Proprietary data formats complicate provider switching - Egress costs for migrating large volumes of data are substantial - Dependency on the provider’s API ecosystem limits freedom of choice - In a crisis (provider failure, ransomware at the provider), rapid access is not possible #### On-Premises as the Foundation of the Exit Strategy [\#](#on-premises-as-the-foundation-of-the-exit-strategy "On-Premises as the Foundation of the Exit Strategy") A physical on-premises backup structurally eliminates this dependency. Data resides in the institution’s own data centre, on its own hardware, under its own control. Internal infrastructure is not an ICT third-party arrangement: no Art. 30 contract, no exit strategy, no register entry required. In an emergency, no data migration across a network is needed; the institution accesses its data immediately. FAST LTA’s Silent Brick System enables air-gap-secured on-premises backup. Silent Brick Pro units can be physically removed from the Controller X, creating a genuine physical air gap. Alternatively, Silent Brick Max Air provides galvanic separation without physical removal. Both variants satisfy the supervisory requirement to keep backups available even during an attack. --- ### 6. What Supervisors Examine When Auditing Cloud Use [\#](#6-what-supervisors-examine-when-auditing-cloud-use "6. What Supervisors Examine When Auditing Cloud Use") National supervisors (in Germany, for example, BaFin in on-site inspections and special audits) examine: - Completeness of the ICT third-party or outsourcing register: are all material cloud services captured? - Quality of the contracts: do they contain all mandatory elements? - Evidence of audit exercise: has the institution actually exercised its audit rights vis-a-vis the provider? - Restore tests: is there documented proof that backups are actually restorable? - Exit strategy: is it documented and operationally executable? - Emergency plans: does the emergency plan also cover failure of the cloud provider? Institutions that use cloud backup but cannot demonstrate active third-party management risk findings. --- ### 7. Requirements Compared: Cloud Backup vs. On-Premises [\#](#7-requirements-compared-cloud-backup-vs-on-premises "7. Requirements Compared: Cloud Backup vs. On-Premises") - **Data control:** cloud dependent on contract, factually limited; on-premises full control by the institution - **Audit rights:** cloud contractually negotiable but rarely standard; on-premises the institution’s own responsibility, no third-party dependency - **Data storage location:** cloud only controllable through contract; on-premises physically at the institution - **Exit strategy:** cloud structurally complex (egress, formats); on-premises trivial, data is on-site - **CLOUD Act risk:** cloud relevant for US providers even with EU storage; on-premises not applicable with EU providers - **Recovery in an emergency:** cloud dependent on network connection and provider status; on-premises independent of third parties - **Register and contract obligations:** cloud mandatory entry plus ongoing monitoring; on-premises not classified as a third-party arrangement - **Emergency planning:** cloud must explicitly cover provider failure; on-premises entirely within the institution’s own plans --- ### 8. Checklist: Compliance for the Next Supervisory Audit [\#](#8-checklist-compliance-for-the-next-supervisory-audit "8. Checklist: Compliance for the Next Supervisory Audit") Use this checklist as preparation for internal audits or supervisory examinations: **Third-Party Management** - All cloud services for data storage and backup recorded in the ICT third-party or outsourcing register - Classification as critical/​important reviewed and documented - Contracts contain all DORA Art. 30 mandatory elements - Audit rights vis-a-vis cloud providers agreed in writing and exercised at least once - Sub-contractors of the cloud provider known and contractually regulated **Data Backup and Recovery** - Backup concept documented with RTO/RPO for all critical systems - Restore tests regularly performed and documented in writing - Backup availability ensured even in a ransomware attack (air gap or offline copy) - Emergency plan explicitly covers failure of the cloud provider **Exit Strategy** - Exit strategy documented for each critical cloud service - Data migration rehearsed in practice (not just planned on paper) - Costs and time required for a provider switch are known **Data Storage Location and Legal Framework** - Storage locations for all backups contractually specified and verified - CLOUD Act risk assessed (US provider or US parent company?) - Data deletion upon contract termination contractually regulated --- ### Further Resources [\#](#further-resources "Further Resources") → US CLOUD Act: What IT Decision-Makers Need to Know (/en/blog/us-cloud-act-erklaert/) → DORA: Requirements for the Financial Sector (/en/blog/dora-anforderungen-finanzsektor/) → DORA ICT Third-Party Management (/en/blog/dora-ict-third-party-management/) → Logical vs. Physical Air Gap: Technical Comparison (/en/blog/logischer-vs-physischer-air-gap/) → What Is Data Sovereignty? (/en/blog/was-ist-datensouveraenitaet/) → Silent Brick System (/en/produkte/silent-brick-system/) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### Data Sovereignty Data sovereignty describes an organization's complete control over its data: where it is stored, who can access it, which legal framework applies to it and whether it is available at any time without dependency on a single provider. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/data-sovereignty) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### RTO / RPO RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo) ### RTO / RPO RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)