The Digital Operational Resilience Act (DORA, EU 20222554) has been mandatorily applicable since 17 January 2025. It applies to virtually all regulated financial market participants: credit institutions, insurers, investment firms, payment service providers, asset managers, savings banks and cooperative banks — with graduated requirements according to proportionality (Art. 4).

Article 11 obliges financial entities to create backup policies and test them regularly: backup systems must be isolated from production systems, recoverability must be tested and documented regularly, and s (RTOs) and s (RPOs) must be defined for critical systems.

Article 12 sets concrete requirements for the technical protection of backup data: it must be protected against unauthorized modification or deletion — including by compromised administrator accounts. in Governance Mode (overridable by admins) does not fully satisfy Art. 12; Compliance Mode with Multi-Person Authorization or a physical air gap at hardware level are the more technically robust solutions.

Articles 28 – 30 govern ICT : all critical ICT third-party providers must be inventoried, assessed and contractually obligated to DORA requirements — with clauses on audit rights, availability SLAs, exit strategies and data localization. For existing contracts, a transition period runs until 31 December 2026.

Frequently asked questions

Yes — with graduated requirements. DORA distinguishes between significant and less significant institutions but does not provide a complete exemption for smaller institutions. The proportionality rule (Art. 4) allows risk-based implementation. However, backup requirements under Art. 11 and 12 are binding for smaller institutions as well.
DORA Art. 12 requires that backup systems are integer, isolated and recoverable — and that this can be demonstrated. Auditors do not accept purely procedural evidence. Expected: technical configuration documentation, regular recovery tests with logged results and — for backup isolation — a mechanism that ensures isolation through technical properties, not just configuration. A physical air gap at hardware level is the strongest available means of proof.
The transition period for existing ICT third-party contracts runs until 31 December 2026. Financial entities must review which of their existing cloud and backup contracts contain DORA-compliant clauses — and renegotiate where necessary.