---
title: DORA
date: 2026-06-01T17:19:00+02:00
author: Hannes Heckel
canonical_url: "https://www.fast-lta.de//en/glossary/dora"
section: Glossar
---
The Digital Operational Resilience Act (DORA, EU 2022⁄2554) has been mandatorily applicable since 17 January 2025. It applies to virtually all regulated financial market participants: credit institutions, insurers, investment firms, payment service providers, asset managers, savings banks and cooperative banks — with graduated requirements according to proportionality (Art. 4).

Article 11 obliges financial entities to create backup policies and test them regularly: backup systems must be isolated from production systems, recoverability must be tested and documented regularly, and Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) must be defined for critical systems.

Article 12 sets concrete requirements for the technical protection of backup data: it must be protected against unauthorized modification or deletion — including by compromised administrator accounts. Object Lock in Governance Mode (overridable by admins) does not fully satisfy Art. 12; Compliance Mode with Multi-Person Authorization or a physical air gap at hardware level are the more technically robust solutions.

Articles 28 – 30 govern ICT third-party risk management: all critical ICT third-party providers must be inventoried, assessed and contractually obligated to DORA requirements — with clauses on audit rights, availability SLAs, exit strategies and data localization. For existing contracts, a transition period runs until 31 December 2026.

### RTO / RPO

RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo)

### RTO / RPO

RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo)

### Immutable Storage

Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)

### Supply Chain Security

Supply chain security refers to the systematic assessment, securing and contractual obligation of all IT service providers, cloud providers and storage vendors in an organization's IT supply chain — NIS2 and DORA make this mandatory and require evidence of data localization, audit rights and exit strategies.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/supply-chain-security)

 

## Frequently asked questions

#### Does DORA also apply to smaller banks and savings banks?

Yes — with graduated requirements. DORA distinguishes between significant and less significant institutions but does not provide a complete exemption for smaller institutions. The proportionality rule (Art. 4) allows risk-based implementation. However, backup requirements under Art. 11 and 12 are binding for smaller institutions as well.

#### What does 'demonstrable' mean in DORA Art. 12?

DORA Art. 12 requires that backup systems are integer, isolated and recoverable — and that this can be demonstrated. Auditors do not accept purely procedural evidence. Expected: technical configuration documentation, regular recovery tests with logged results and — for backup isolation — a mechanism that ensures isolation through technical properties, not just configuration. A physical air gap at hardware level is the strongest available means of proof.

#### By when must existing ICT contracts be adapted to DORA?

The transition period for existing ICT third-party contracts runs until 31 December 2026. Financial entities must review which of their existing cloud and backup contracts contain DORA-compliant clauses — and renegotiate where necessary.