Contents
Backup procedures
Regulatory Purpose and Position in the ICT Risk Management Framework
Article 12 DORA establishes a mandatory, formalised set of backup procedures designed to ensure:
- restoration of ICT systems and data with minimal downtime,
- limited business disruption,
- minimal data loss, and
- preserved availability, authenticity, integrity and confidentiality of data during and after activation.
Backup procedures form a core element of the ICT response and recovery capabilities and are required to be fully embedded into the ICT risk management framework under Article 6(1)–(3) DORA.
They must operate in close alignment with:
- incident detection (Article 10),
- business continuity and recovery planning (Article 11),
- data and system security (RTS RMF Article 11),
- logging, operations, and ICT asset management.
Required Content and Scope of Backup Procedures
Backup procedures must be developed, documented, and kept current, covering the full lifecycle of backup operations for all relevant ICT systems and data.
Specification of Data in Scope
Backup procedures must explicitly define:
- which datasets are subject to backup,
- which ICT systems, databases, applications and platforms require backup,
- the classification and criticality level of each dataset (availability, confidentiality, integrity requirements),
- which datasets or systems are excluded, and the rationale for such exclusions.
The scope must reflect the criticality mapping under Article 8(1) DORA.
Minimum Backup Frequency
Backup frequency must be:
- based on the criticality of information, and
- based on the confidentiality level of the data.
This implies a risk-based backup schedule, typically including differentiated frequencies such as:
- real-time or near-real-time replication for critical functions,
- daily incremental backups for important functions,
- weekly/monthly backups for non-critical systems,
- geographically diverse or offsite backup for resilience.
Restoration and Recovery Procedures
Backup procedures must integrate and reference the organisation’s broader restoration and recovery capability:
- detailed steps for restoring ICT systems, configurations, and datasets,
- instructions for validating the integrity and completeness of restored data,
- recovery sequencing and dependencies (e.g., infrastructure → middleware → application → data),
- explicit alignment with RTO (Recovery Time Objective) and RPO (Recovery Point Objective) expectations from the ICT BCP (RTS RMF Article 24).
Activation Controls for Backup Systems
Article 12(2) requires backup systems to be configured so that activation:
- does not compromise network or information system security,
- does not reduce data availability,
- does not impact authenticity, integrity or confidentiality of data.
Backup environments must be hardened, access-controlled, and monitored to prevent compromise during high-stress restoration scenarios.
Required Technical and Organisational Measures
The backup procedures must include:
Technical Controls
- secure backup storage (immutable storage, encryption, logical isolation),
- encryption of backups at rest and in transit,
- segregation of backup networks or repositories,
- versioning and retention policies,
- integrity-checking and checksum validation mechanisms,
- access restrictions aligned with Article 21 RTS RMF (Access Control).
Organisational Controls
- documented roles and responsibilities for backup execution, approval, verification,
- multi-person controls for restoration of critical systems,
- documented change control for backup schedules, storage locations, procedures,
- alignment with outsourcing policy for backup processes supported by third-party providers.
Testing Requirements
Article 12(2) requires periodic testing of:
- backup procedures, and
- restoration and recovery procedures and methods.
Testing must confirm:
- backups can be successfully restored within the defined RTO/RPO,
- restored data maintains integrity and confidentiality,
- controlled activation of backup systems does not compromise ICT security,
- staff are capable of executing restorations during real events.
Tests must be:
- risk-based,
- documented,
- evidenced,
- aligned with ICT BCP testing under Article 11(6) DORA and RTS RMF Article 25.
Findings must feed into:
- the annual ICT risk management framework review (Article 6(5)),
- the incident management continuous improvement cycle (Article 17 DORA),
- and the ICT internal audit plan (Article 6(6) and Article 5(2)(f) DORA).
Governance and Oversight
In accordance with Article 5(2)(e) and Article 6 DORA:
- the management body must approve and periodically review backup procedures,
- the ICT risk management function must monitor backup effectiveness and residual risks,
- internal audit must periodically assess design and operating effectiveness of backup controls.
All evidence, logs, and test results must be readily accessible for supervisory review.