Article 11 Digital Operational Resilience Act (DORA), Backup Policies And Recovery Methods

Article 11 of the Digital Operational Resilience Act (DORA) places significant emphasis on the development and implementation of robust backup and recovery policies within financial entities. These policies are crucial components of their ICT risk management frameworks, designed to ensure operational continuity and mitigate the impact of disruptions caused by ICT incidents, cyber threats, or other unforeseen events.

Backup Policy And Scope

Financial entities must establish comprehensive backup policies that clearly define the scope of data subject to backup and the frequency of backups. The scope typically includes critical data that is sensitive or essential for the ongoing operations of the institution. Data criticality and sensitivity determine the minimum frequency of backups, ensuring that essential information is protected and readily available for recovery purposes.

Recovery Methods And Procedures

Defined recovery methods are essential for restoring ICT systems swiftly and effectively following a disruption. Financial entities are required to outline detailed procedures for initiating and executing recovery processes. These procedures encompass the restoration of systems, applications, and data to their operational state, minimizing downtime and ensuring business continuity. Clear protocols for activating backup systems promptly are crucial to maintain the security, integrity, and confidentiality of network and information systems during recovery phases.

Use of Separate ICT Systems For Restoration

During the restoration process, financial entities must ensure that backup data is recovered using ICT systems that operate in an environment distinct from the primary systems. This separation prevents direct connectivity between the primary and backup systems, reducing the risk of simultaneous failure due to a single point of vulnerability. Secure protection against unauthorized access and ICT corruption is mandated to preserve the integrity and reliability of restored data and systems.

Specific Requirements For Central Counterparties

Financial entities categorized under point (g) of Article 2(1) must adhere to additional requirements to ensure recoverability of all transactions. These entities, such as central counterparties, play critical roles in financial markets by facilitating the completion of settlements on scheduled dates. Their recovery plans must therefore prioritize the seamless operation and continuity of critical functions, ensuring no disruption to financial market operations.

Maintenance Of Redundant ICT Capacities

Maintaining redundant ICT capacities is essential for financial entities to mitigate risks associated with ICT failures or disruptions. Redundancy ensures that sufficient resources, capabilities, and functionalities are available to meet operational demands and business continuity requirements. This includes provisions for secondary processing sites that offer geographical separation from primary sites, diversifying risk profiles and enhancing resilience against localized disruptions.

Establishment Of Recovery Time Objectives (RTO) And Recovery Point Objectives (RPO)

Financial entities are required to establish clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each function or system. These objectives define the maximum acceptable downtime and data loss following an ICT incident, ensuring that service levels and operational commitments are met even under extreme circumstances. Determining RTO and RPO involves careful assessment of operational impacts and market efficiency considerations to prioritize critical functions during recovery efforts.

Data Integrity Checks And Reconciliation

During the recovery phase of ICT incidents, financial entities must conduct rigorous data integrity checks and reconciliations. These processes ensure that recovered data is accurate, consistent, and aligned across all systems and platforms. Integrity checks are particularly crucial when reconstructing data from external stakeholders or third-party sources, maintaining data consistency and operational continuity throughout the recovery process.

The provisions outlined in Article 10 of DORA underscore the critical importance of robust backup and recovery strategies within financial entities. By establishing clear policies, implementing effective recovery methods, maintaining redundant capacities, and adhering to stringent objectives for data integrity and operational continuity, financial institutions can enhance their resilience against ICT disruptions. These measures not only safeguard their operations and services but also contribute to the overall stability and integrity of the financial sector amid evolving technological landscapes and increasing cyber threats.