Cyber Storage and DORA: Why True Backup is Central to Operational Resilience

DORA is Now in Force

The Digital Operational Resilience Act (DORA) is now in force across the European Union, setting a new standard for how financial institutions manage ICT (information and communication technology) risk and ensure operational resilience.

DORA doesn't just encourage resilience — it mandates it. For banks, insurers, investment firms, and other regulated entities, that means proving the ability to recover data quickly, completely, and securely after a disruption.

Yet not all "backups" meet that bar. Many organizations still rely on cloud snapshots or synchronized copies stored in the same logical infrastructure as production data. These may offer convenience, but they fall short of the true backup principles that DORA implies — especially around separation, immutability, and verifiable recovery.

What DORA Actually Requires

DORA doesn't mention "cyber storage" by name, but its language — particularly in Article 12 — sets clear expectations that align with cyber storage fundamentals. Among the key provisions are:

- Organizations must establish backup systems governed by formal backup policies, including periodic testing and documented recovery procedures
- Backup systems must be physically and logically segregated from the production ICT systems they protect
- Restorations must preserve the integrity and confidentiality of data, with multiple checks and reconciliations to ensure accuracy
- Recovery time and recovery point objectives (RTOs and RPOs) must be appropriate for critical functions and achievable even under severe disruption

In short, DORA enforces a high bar: Backups must be resilient, verifiable, isolated, and capable of restoring operations safely and swiftly.

The Problem with "Backup" in Name Only

The term backup is widely used, but not always accurately. A synchronized copy in the same cloud or a versioned snapshot inside the same tenant is not a true backup. If a ransomware attack, cloud outage, or credential compromise affects your production environment, these copies are often just as vulnerable. Under DORA, that's no longer acceptable.

A compliant backup must be physically and logically segregated from the production system — and this is precisely the design principle behind true backup and the 3-2-1 rule: Three copies of data, on two different media, with one stored offsite.

In a SaaS and cloud-first world, this "offsite" element translates to independent infrastructure — an isolated environment built for immutability and recovery assurance, often referred to as air gapping.

What is Cyber Storage?

Cyber storage is a modern, purpose-built approach to backup that eliminates shared-risk dependencies and ensures that data remains recoverable, even when everything else fails. It's designed to be a proactive defense against threats like ransomware by embedding security measures such as:

- Immutability - Data cannot be modified or deleted once written
- Anomaly detection - Automated monitoring for suspicious activity patterns
- Access controls - Strict authentication and authorization requirements
- Independent infrastructure - Physically and logically separated from production systems

This approach ensures that organizations stay in control of their data at all times — able to access, restore, and verify it independently, without relying on the same systems that might have failed.

Practical Steps for Compliance

To align with DORA's backup requirements:

1. Adopt independent, air-gapped backup - Store backup copies in infrastructure separate from production SaaS providers
2. Implement immutability - Ensure backup data cannot be modified or deleted, even by administrators
3. Test recovery regularly - Document recovery procedures and verify RTOs/RPOs are achievable
4. Maintain detailed logs - Track all backup and restoration activities for audit purposes
5. Establish formal policies - Document backup schedules, retention periods, and recovery procedures

TL;DR

- DORA mandates physically and logically segregated backup for EU financial institutions
- Cloud snapshots and synchronized copies don't meet DORA's resilience requirements
- True backup requires independent infrastructure with immutability and air-gapping
- Cyber storage is the modern approach to backup that embeds security and recovery assurance

Source: Keepit Blog: Cyber storage and DORA: Why true backup is central to operational resilience