Article 11 Digital Operational Resilience Act (DORA), Backup Policies and Recovery Methods
Article 11 of the Digital Operational Resilience Act (DORA) establishes essential requirements for financial entities regarding backup policies and recovery methods to ensure minimal downtime and limited disruption during ICT incidents. This article underscores the importance of developing and maintaining robust backup and recovery strategies to safeguard ICT systems and data. Here’s a comprehensive overview of the key provisions under Article 11.
Backup Policies
To minimize downtime and disruption, financial entities must develop a comprehensive backup policy as part of their ICT risk management framework. This policy should include:
- Scope and Frequency: The backup policy must specify the scope of data to be backed up and the minimum frequency of backups. The scope should cover critical and sensitive information, ensuring that the backup strategy aligns with the importance of the data.
- Recovery Methods: Financial entities are required to outline detailed recovery methods within their backup policy. These methods should enable effective restoration of data and systems with minimal impact on business operations.
Processing and Restoration
- Timeliness of Backup Processing: Backup systems must be capable of beginning processing without undue delay. However, this initiation should not compromise the security of network and information systems or the confidentiality and integrity of the data.
- Secure Restoration: When restoring data using their own systems, financial entities must use ICT systems with a distinct operating environment from the primary system. These backup systems should not be directly connected to the primary system and must be securely protected against unauthorized access and ICT corruption.
Redundant ICT Capacities
- Maintenance of Redundant Capacities: Financial entities are required to maintain redundant ICT capacities that include sufficient resources, capabilities, and functionalities to meet business needs. This redundancy ensures that essential operations can continue even if the primary ICT systems fail.
- Secondary Processing Sites: For entities referred to in point (f) of Article 2(1), it is crucial to maintain or ensure that ICT third-party providers maintain at least one secondary processing site. This site should:
- Geographical Separation: Be located at a sufficient geographical distance from the primary site to avoid being affected by the same incident. This separation helps in managing distinct risk profiles.
- Service Continuity: Provide continuity of critical services similar to the primary site or ensure the necessary level of service to maintain critical operations within the recovery objectives.
- Accessibility: Be immediately accessible to the financial entity’s staff to ensure uninterrupted service continuity if the primary processing site becomes unavailable.
Recovery Time and Point Objectives
Financial entities must set recovery time and point objectives for each function, considering the potential overall impact on market efficiency. These objectives must ensure that, even in extreme scenarios, service levels are maintained according to agreed-upon standards.
Data Integrity Checks
During the recovery process from an ICT-related incident, financial entities must perform comprehensive checks and reconciliations to ensure the highest level of data integrity. These checks are crucial when reconstructing data from external stakeholders to ensure consistency and accuracy between systems.
Conclusion
Article 11 of DORA outlines critical measures for backup and recovery to ensure the resilience and continuity of ICT systems within financial entities. By establishing robust backup policies, ensuring timely and secure restoration processes, maintaining redundant ICT capacities, and setting clear recovery time and point objectives, financial entities can effectively mitigate the impact of ICT disruptions. These measures are designed to support business continuity, maintain data integrity, and ensure operational resilience in the face of ICT incidents. Financial entities must also regularly test and review their backup and recovery strategies to address evolving risks and technological advancements, thus enhancing their overall operational resilience.