---
title: Financial Services
date: 2026-04-23T16:04:00+02:00
author: Hannes Heckel
canonical_url: "https://www.fast-lta.de//en/verticals/financial-services"
section: Verticals Pages
---
DORA, GwG, PSD3 and Solvency II

# Compliant data protection for financial services

Banks, insurers, payment providers, and asset managers share one compliance burden: data must not only be secure, it must be demonstrably immutable, complete, and auditable at any time, toward supervisors, prosecutors, and auditors.

![Fast lta illustration 1773671060117 | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast-lta-illustration-1773671060117.png?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1776957579&s=ce40b5a67712ede42557321d7bbc7ec6)

### DORA has been binding since January 2025, and backup is now a regulated core. 

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is not a framework for large banks alone. It applies to nearly all regulated financial market participants: credit institutions, insurers, investment firms, payment providers, asset managers, and, with tiered requirements, smaller banks too. Article 9 requires demonstrable implementation of ICT risk management. Article 12 makes backup systems an explicit subject of regulatory review.

The decisive word in DORA Art. 12 is not "backup"; it is "demonstrable". Backup systems must be documented, tested, and provable in their integrity. A policy-side configuration that an administrator could disable is not enough. Auditors and supervisors require technical evidence, not process descriptions.

### What DORA Art. 12 means in practice

DORA Article 12 requires financial entities to set up ICT-related backup systems that are:

- **isolated**: logically or physically separated from the primary production network,
- **integrity-protected**: backup data must not be compromised by the same attack that hits the primary systems,
- **demonstrably recoverable**: recovery processes must be tested and documented regularly.

A software-based network separation ("logical air gap") meets this only in part: it holds as long as the configuration is correct and no attacker gains sufficient rights. Supervisory guidance, including the EBA Guidelines on ICT and security risk management, has long pointed to the weaknesses of purely logical separation.

A physical air gap, network separation at the hardware level that activates automatically after every backup job, provides what DORA Art. 12 means by "isolation": a separation that no software, no attacker, and no compromised account can undo.

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

 

### The Silent Brick System. Physical air gap for DORA Art. 12

The Silent Brick System achieves network separation not through firewall rules or software configuration, but through hardware. The **Silent Bricks** separate the network connection at the device level after the backup job completes, mechanically/electrically, not logically. During the separation phase, the system is unreachable for any device on the network, regardless of the access rights a user or attacker holds.

**For DORA compliance this means:**

- Isolation is a physical property, not a configuration parameter
- Backup data cannot be reached by a ransomware attack on the production environment
- The separation is loggable and therefore auditable, gap-free evidence for Art. 12 reviews

The Silent Brick System is compatible with Veeam, Commvault, and Acronis, so it fits into existing backup architectures without replacing processes or licenses. Its suitability for essential-entity environments and its ISO 27001 conformity ease the evidence toward supervisors and internal audit.

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

 

[Find out more ](https://www.fast-lta.de//en/products/silent-brick-system "Find out more")

![X60802x SBMA1x SBP frontal2x Air Gap | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/X60802xSBMA1xSBP-frontal2xAirGap.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772468089&s=648f39bb328f5d8c494ebe5e2dcba9bb)

---

### PSD3: payments under stricter recordkeeping duties [\#](#psd3-payments-under-stricter-recordkeeping-duties "PSD3: payments under stricter recordkeeping duties")

The revised Payment Services Directive (PSD3, currently in the EU legislative process) and the parallel Payment Services Regulation (PSR) tighten requirements for payment providers in several dimensions:

**Dispute management and burden of proof.** PSD3 strengthens payers’ rights in unauthorized transactions and, in certain cases, shifts the burden of proof onto the payment provider. An entity that cannot show without gaps that a transaction was authorized, with complete logs, an unaltered timestamp, and authentication evidence, carries the liability. This evidence must be available, immutable, throughout the entire statutory retention period.

**Fraud data and reporting duties.** PSR Art. 83 requires payment providers to transmit fraud data to the competent authorities. The transaction data and authentication logs needed for this must be demonstrably intact. Software-based archiving that can be modified after the fact does not meet the requirements for evidential quality.

**Strong customer authentication (SCA).** Authentication logs under PSD3/PSR must be archived so that the full SCA evidence is reproducible in a dispute. Missing or subsequently altered authentication logs are not usable in supervisory or court proceedings.

Silent Cubes archive transaction data, authentication logs, and dispute documentation on hardware WORM, with no possibility of subsequent alteration by internal or external actors. Every record carries an immutable timestamp and is fully auditable.

> ⚠️ *Note: At the time of publication, PSD3/PSR are in the final legislative process. The exact transposition deadlines for national legislators are not yet final. The requirements described here are based on the current negotiation status. Legal advice is recommended for entity-specific questions.*

---

### Anti-money laundering: AML compliance requires immutable records [\#](#anti-money-laundering-aml-compliance-requires-immutable-records "Anti-money laundering: AML compliance requires immutable records")

EU anti-money-laundering law has been harmonized: the AML Regulation (Regulation (EU) 2024⁄1624, ​“AMLR”) and the AMLA Regulation (Regulation (EU) 2024⁄1620) place specific data-archiving requirements on financial services. In Germany, the Money Laundering Act (GwG) implements the framework nationally.

**Record-keeping duty (five years).** Obliged entities, including credit institutions, insurers, financial service providers, factoring companies, and leasing firms, must keep records of due-diligence measures and transactions for **at least five years**. Under Article 77 AMLR this period is now directly applicable EU law, no longer a matter of national discretion. The period begins at the end of the business relationship or the date of the transaction. Records must be complete, readable, and available without delay to law-enforcement authorities and the Financial Intelligence Unit (FIU).

**Immutability as an evidential precondition.** AML records serve as evidence in criminal proceedings. Records that can technically be manipulated after the fact are challenged by prosecutors and courts. Hardware WORM is the only storage mechanism that guarantees technical immutability at the physical level, independent of access rights, software versions, or administrative intervention.

**Know Your Customer (KYC) and Customer Due Diligence (CDD).** Identification data, verification checks, beneficial owners: all of this KYC material is subject to the AML retention duty. Because this data usually contains personal information, it must at the same time be processed and secured in line with the GDPR. On-premises operation without cloud transfer closes the regulatory grey zone between the AML retention duty and the GDPR principle of data minimization.

**AMLA supervision.** The EU Anti-Money Laundering Authority (AMLA) became operational on 1 July 2025. It will take on direct supervision of selected high-risk entities from January 2028, with selection running from mid-2027, and will set its own documentation requirements. Institutions that rely today on immutable, auditable archive structures will substantially reduce the adjustment effort for AMLA reviews.

Silent Cubes meet the AML retention duty technically: a five-year retention configured at write time, hardware WORM with no administrator access, and a full audit log of every read access. No cloud transfer, so KYC data does not leave your own infrastructure.

---

### Data retention and governance: when retention itself becomes a risk [\#](#data-retention-and-governance-when-retention-itself-becomes-a-risk "Data retention and governance: when retention itself becomes a risk")

Financial services face a regulatory dilemma: retention that is too short breaches compliance duties, retention that is too long breaches the GDPR principle of data minimization, and missing governance makes both risks uncontrollable.

**The retention-governance problem in practice:**

A typical financial institution manages dozens of data categories with different retention periods: AML records (5 years), investment-services records (5 years under MiFID II), tax-relevant accounting records (typically 10 years under national tax law), commercial records (typically 6 to 10 years under national commercial law), loan files (variable periods under supervisory guidance), insurance policies and claims files (depending on the product). Each category has its own start dates, deletion duties, and access restrictions.

**Technical consequence:** An archiving system that meets these requirements must make retention periods configurable and enforceable per record, not as a policy setting, but as a physical property. Silent Cubes let you set an individual retention period for each written record that neither administrators nor software errors can override. After the period expires, orderly deletion is possible, an essential element of GDPR compliance.

**Audit trail as a governance tool.** Every access to archived data is logged without gaps: who opened which file when, which exports were performed, which systems accessed which records. This audit trail is indispensable for data protection impact assessments (DPIA under GDPR Art. 35), internal compliance reviews, and supervisory audits.

---

### Fraud and disputes: archiving as a legal line of defence [\#](#fraud-and-disputes-archiving-as-a-legal-line-of-defence "Fraud and disputes: archiving as a legal line of defence")

In a dispute between a financial institution and a customer, or between an institution and a supervisor, the quality of the documentation decides the outcome. Digital records that can technically be manipulated are open to challenge in court.

**Transaction archiving for fraud cases.** When a customer disputes a transaction, the institution must prove that it was authorized. This includes transaction data with an immutable timestamp, authentication logs (SCA, OTP, biometric logs), IP addresses and session data, and where applicable call-center recordings and chat logs. All of this must be available in evidential quality: tamper-proof and with a gap-free chain-of-custody record.

**Chargeback and dispute procedures.** Payment networks (Visa, Mastercard) and acquirers require complete transaction evidence within tight deadlines in dispute procedures. If it is not immediately available, or the immutability proof is missing, the institution automatically loses the dispute, regardless of the merits.

**Regulatory sanction proceedings.** Supervisory proceedings, EBA reviews, and national prosecution presuppose that submitted records have not been altered after the fact. A hardware-WORM archive delivers this proof at the physical level, not as a statement, but as a technical property of the storage medium.

Silent Cubes and the Silent Brick System store all relevant records with an immutable timestamp, hardware-WORM protection, and a full audit log. The proof of non-alteration is available for each record individually, a decisive advantage over software-based archiving, where immutability is merely configured, not physically guaranteed.

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### Immutable Storage

Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

 

![SCDS HU Pro HWWORM | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/SCDS-HUProHWWORM.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772121892&s=9e9f51c50282d0054642755ea718461b)

## Silent Cubes. Compliant archive for accounting, AML, and GDPR.

Beyond the DORA requirements for backup systems, long-term statutory archiving remains a compliance dimension of its own:

- **National commercial and tax law** (in Germany: HGB §§ 238, 257; AO § 147; GoBD): business books, annual accounts, and posting documents, typically up to 10 years, unaltered
- **EU VAT Directive (2006/112/EC):** invoice retention as required by national implementation
- **AML Regulation (EU 2024/1624):** KYC records, due-diligence and transaction documentation, 5 years
- **MiFID II (Directive 2014/65/EU):** records of investment services, 5 years (extendable to 7)
- **Supervisory guidance** (EBA ICT Guidelines; in Germany MaRisk): retention of risk reports, loan files, and trading records with a full audit trail
- **GDPR Art. 5(1)(e), Art. 32:** integrity of personal data throughout the entire retention period

Silent Cubes enforce immutability at the only level no software can override: the hardware controller. No administrator, ransomware attack, or privileged service account can change or prematurely delete a record once stored. The retention period is configured at write time, up to ten years for tax-relevant material, five years for AML records, and decades for insurance claims files.

For auditors, supervisors, and prosecutors, the difference from software-based archiving is not theoretical: hardware WORM is a physical property. Software WORM is a policy that someone can follow, or not.

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### GoBD

The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

 

[Find out more ](https://www.fast-lta.de//en/products/silent-cubes "Find out more")

---

### Insurance: its own regulation, the same infrastructure [\#](#insurance-its-own-regulation-the-same-infrastructure "Insurance: its own regulation, the same infrastructure")

Insurers are subject to their own regulatory framework, with specific requirements that go beyond DORA and general accounting law.

**Solvency II (Directive 2009/138/EC, regularly updated).** The pillar model of Solvency II prescribes extensive documentation and retention duties in Pillar II (governance) and Pillar III (reporting). ORSA reports (Own Risk and Solvency Assessment), risk-management documents, capital models, and governance minutes must be archived tamper-proof and be available for supervisory reviews at any time.

**National insurance supervision** (in Germany, the Insurance Supervision Act, VAG) requires proper business organization, including risk management and internal control, as foreshadowed by the Solvency II system of governance. Records demonstrating compliance, internal audits, compliance reports, board and supervisory-board minutes, must be archived so their authenticity can be proven in a review.

**Insurance Distribution Directive (IDD, Directive (EU) 2016⁄97).** The IDD requires that advice records, suitability documentation, and contract documents be kept demonstrably complete and immutable. In a dispute over mis-selling, the institution carries the burden of proof, with demonstrably unaltered original documents from the advisory session. In Germany, the IDD is transposed via the Insurance Contract Act (VVG).

**Claims files and reinsurance.** Claims files in life and accident insurance can require retention periods of 30 years or more (especially for occupational-disability, liability, and accident products). Reinsurance contracts and statements are themselves subject to commercial and tax-law periods. Silent Cubes are designed for exactly this requirement: long-term retention with configurable periods per record, without degradation of the storage media over decades.

**Motor liability and claims handling.** Large insurers manage millions of claims notifications, expert reports, photos, and correspondence. This data must remain available and demonstrably unaltered for many years, for recovery proceedings, court disputes, and internal reviews. It usually contains sensitive personal data, so GDPR-compliant on-premises archiving without cloud transfer is not a preference here, but a duty.

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

 

## Silent AI. Keep regulatory knowledge on premises.

Compliance teams in banks and insurers work with a continuously growing rulebook: supervisory circulars, EBA guidelines, AML regulation, internal work instructions, contract documents, SWIFT requirements. Searching this documentation costs time, and faulty interpretations cost more.

**Silent AI** brings AI-assisted document analysis into your own infrastructure, without a single byte leaving your environment. Through 15+ connectors, including SharePoint, DMS systems, and structured document stores, sources are brought together and made available in an on-premises knowledge assistant.

No cloud transfer. No third-party processing. No GDPR grey zone in handling confidential regulatory documents, KYC data, or personal customer data.

### GDPR

The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)

 

[Find out more ](https://www.fast-lta.de//en/products/silent-ai "Find out more")

![2026 SAI frontal | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/2026-SAI-frontal.jpeg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772122968&s=9c06679cda8115826b582a2405de8be0)

---

### Compliance at a glance [\#](#compliance-at-a-glance "Compliance at a glance")

RegulationAffected entitiesRequirementFAST LTA solution**DORA Art. 12 (EU 2022⁄2554)**All regulated financial market participantsIsolated, integrity-protected, demonstrably recoverable ICT backup; binding since 17 Jan 2025Silent Brick Max Air: physical hardware air gap, loggable, suitable for essential-entity environments**EBA ICT Guidelines** (in Germany: BAIT)Credit institutionsOutsourcing-independent backup, protection from data loss and manipulationAir-gap backup with no cloud dependency; full control over backup infrastructure**PSD3 / PSR**Payment providers, e‑money institutionsImmutable transaction and authentication logs for dispute and fraud evidenceSilent Cubes hardware WORM; immutable timestamp; immediately retrievable**AML Regulation (EU 2024⁄1624)** (in Germany: GwG)Credit institutions, insurers, financial services, factoring, leasingKYC records, transaction documentation: 5 years, immutable, FIU-retrievableHardware WORM with 5‑year retention; on premises, no cloud transfer**AMLA Regulation (EU 2024⁄1620)**High-risk entities (direct AMLA supervision from 2028)Documentation requirements of the new EU AML authorityAuditable, immutable archive structure, AMLA-ready**National tax & commercial law** (e.g. Germany GoBD/​HGB/​AO) + **EU VAT Directive 2006/112/EC**All institutions with bookkeeping dutiesImmutability, completeness, traceability of tax-relevant documents (typically 10 years)Silent Cubes hardware WORM; configurable retention; full audit trail**GDPR Art. 5, 32**All institutions with personal dataIntegrity and confidentiality of personal dataHardware immutability; on-premises operation without cloud transfer**Supervisory guidance** (EBA; in Germany MaRisk)Credit institutionsRetention of risk reports, loan files, full audit trailSilent Cubes with gap-free access and change logging**Solvency II (2009/138/EC)**InsurersORSA reports, governance documents, risk-management records, tamper-proofSilent Cubes: configurable long-term retention, hardware WORM, full audit trail**IDD (Directive (EU) 2016⁄97)**Insurance distributionAdvice records, suitability documentation, demonstrably immutableHardware WORM; chain-of-custody evidence per record**MiFID II (2014/65/EU)**Investment service providersRecords of investment services: 5 yearsSilent Cubes with configurable retention and full access log 

## Frequently asked questions

#### Does DORA also apply to smaller banks?

Yes, with tiered requirements. DORA distinguishes between significant and less significant entities but sets no full exemption for smaller ones. Smaller banks are within the DORA framework, while the proportionality rule (Art. 4) allows risk-based implementation. Supervisors have made clear that the backup requirements under Art. 12 have been binding for smaller institutions too since 17 January 2025.

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

 

#### What does "demonstrable" mean in DORA Art. 12, and what does not satisfy an auditor?

DORA Art. 12 requires backup systems to be integrity-protected, isolated, and recoverable, and that this can be proven. An auditor will not accept purely procedural evidence ("we have a policy that backups are isolated"). What is expected: technical configuration documentation, regular recovery tests with logged results, and, for backup isolation, a mechanism that ensures the isolation through a technical property rather than software configuration.

### DORA

DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)

 

#### What are the AML retention periods, and which records are affected?

EU AML law (Article 77 of Regulation (EU) 2024/1624) requires a minimum retention of five years. Affected are all records arising from due-diligence duties: identification documents, verification evidence, beneficial owners, risk assessments, transaction documentation for suspicious matters, and business correspondence on due-diligence processes. The period begins at the end of the business relationship or the date of the transaction. Records must be available to the FIU and law-enforcement authorities without delay.

 

#### Do AML rules also apply to insurers?

Yes. Life insurers and insurance intermediaries are obliged entities under EU AML law (in Germany, §2(1) no. 7 GwG). They must perform customer due diligence and keep the corresponding records for five years. Simplified due diligence applies to property insurance with a low money-laundering risk, but the retention duties remain.

 

#### How long must insurance claims files be kept?

It depends on the insurance line. As reference values: motor and general liability at least 10 to 30 years (depending on limitation periods and claim type), life insurance for the term of the contract plus 10 years, occupational-disability and accident insurance up to 30 years (limitation for permanent damage). The applicable limitation period determines the minimum retention. Hardware WORM with configurable retention per record is the technically cleanest solution for these heterogeneous periods.

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

 

#### Can the Silent Brick System be integrated into our existing Veeam/Commvault infrastructure?

Yes. The Silent Brick System is natively compatible with Veeam, Commvault, and Acronis. It is added as a backup target without changing existing licenses, processes, or backup jobs. The air-gap functionality of the Silent Brick Max Air is transparent to the backup software; the separation happens automatically at the hardware level after the job completes.

 

#### Can Silent Cubes meet SWIFT archiving requirements?

The SWIFT Customer Security Programme (CSP) and its controls (in particular Control 2.2 and 6.1) require protection of stored SWIFT-relevant data from unauthorized change and demonstrable integrity. The hardware-WORM function of Silent Cubes meets these requirements. Our compliance specialists are glad to discuss SWIFT-specific integration questions in a consultation.

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

 

#### What changes with the new EU AML authority, AMLA?

AMLA became operational on 1 July 2025 and will take on direct supervision of selected high-risk entities from January 2028 (selection running from mid-2027). The AML Regulation (EU 2024/1624) harmonizes AML requirements across the EU and will set its own documentation standards. Institutions that rely today on physically immutable, fully auditable archive structures are already structurally prepared for AMLA reviews.

 

#### How long does implementation take, and what about ongoing operation?

A typical first installation is complete within a few days. Silent Cubes and the Silent Brick System are delivered as preconfigured appliances and integrated into existing network and backup architectures. Ongoing operation requires no dedicated specialist. FAST LTA offers managed-service models on request.

 

Made in EuropeDORA Art. 12-readyEU AML / MiFID II / Solvency IIISO 27001Suitable for essential-entity environments2,500+ customers since 2008

## Arrange compliance call 

Speak with a specialist for regulated financial infrastructure.

 

[Arrange a compliance call ](https://www.fast-lta.de//en/fast/contact/general "Arrange a compliance call")

![Jan Schoenfeld | Enterprise Account Executive | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/1FAV.jpeg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1780661634&s=5f9d098193f2138d53321e6887bee837)