Contents
- Backup policies
Backup policies
Integration into the ICT Risk Management Framework (Article 12(1) DORA)
- Backup policies and procedures form part of the ICT risk management framework under Article 6(1) DORA.
- Financial entities must develop and document backup policies and procedures, as well as restoration and recovery procedures and methods.
Purpose of the Backup Policies (Article 12(1) DORA)
- The policies must ensure that ICT systems and data can be restored with minimum downtime, limited disruption, and limited loss.
- The policies must support the financial entity’s overall resilience obligations.
Mandatory Content Elements (Article 12(1)(a)–(b) DORA)
Backup Policies and Procedures
The policies must specify:
- the scope of data that is subject to backup; and
- the minimum frequency of backups.
Both requirements must be based on:
- the criticality of the information; or
- the confidentiality level of the data.
Restoration and Recovery Procedures and Methods
The policies must include restoration and recovery procedures and methods that support the effective reinstatement of ICT systems and data.
Backup Systems Requirements (Article 12(2) DORA)
Financial entities must:
- set up backup systems that can be activated in accordance with:
– the backup policies and procedures, and
– the restoration and recovery procedures and methods. - Ensure that the activation of backup systems does not jeopardise:
– the security of network and information systems, or
– the availability, authenticity, integrity, or confidentiality of data.
Testing Requirements (Article 12(2) DORA)
- Financial entities must periodically test:
– the backup procedures, and
– the restoration and recovery procedures and methods.
Such testing must confirm operational readiness and compliance with the entity’s backup and recovery requirements.