The EU’s Digital Operational Resilience Act (DORA) is scheduled to go into effect in January 2025, which means time is of the essence for financial entities to ensure that they are compliant with the new regulations. At its core, the Act aims to bolster the financial sector’s digital resilience against cyber threats while fostering more efficient and reliable operations.
If you’re reading this, you’re probably interested in learning how your company can better align with DORA’s goals—and at Rewind, we’re constantly thinking about how we can support our customers’ compliance needs. By integrating a third-party backup and recovery solution, you’ll be able to quickly recover from data loss incidents and future-proof your SaaS data—ultimately strengthening your organization’s resilience against threats and disasters.
How data backups support DORA compliance
DORA covers a broad spectrum of requirements, all aimed at enhancing financial entities’ risk management frameworks. Let’s break down how a data backup strategy supports your DORA compliance goals across the regulation’s key pillars.
ICT risk management
Under DORA, financial entities are required to develop, implement, and maintain resilient Information and Communication Technology (ICT) systems and protocols. Regular, secure backups are essential for ensuring that critical business data remains protected and recoverable in the event of disruptions or cyber incidents.
Establishing a thorough risk assessment process helps pinpoint vulnerabilities in digital operations, allowing for proactive risk mitigation rather than undertaking reactive measures. A well-defined ICT risk management strategy, with the inclusion of frequent backups and data redundancy of critical business data, ensures preparedness for swift response to potential threats and minimizes the impact of ICT disruptions on business continuity.
Cyber incident reporting and response
Under DORA, quickly and efficiently reporting and responding to ICT-related incidents becomes mandatory. Financial institutes must ensure that they have mechanisms in place for fast incident response. SaaS backups provide a crucial layer of defense by ensuring that recent, secure copies of data are available for recovery. These backups allow companies to restore data quickly, minimizing downtime and preventing extended business disruptions.
Operational resilience testing
DORA outlines requirements for financial entities to establish, maintain, and review a sound and comprehensive digital operational resilience testing program. This includes both basic and advanced methods, such as threat-led penetration tests and business continuity testing.
Incorporating SaaS backups into operational resilience tests and regularly testing backup retrieval and restoration processes ensures that data can be quickly and reliably recovered during disruptions. At Rewind, we recommend simulating various incident scenarios, such as data corruption, accidental deletion, or ransomware attacks to assess your agility when it comes to your SaaS data disaster recovery.
Regularly conducting these tests builds confidence that your data backup solution performs as expected. This strengthens overall operational resilience by confirming that critical data is protected and readily accessible in the face of incidents.
Third-party risk management
Given the increasing reliance on third-party ICT service providers, DORA emphasizes the need to manage and monitor these relationships closely. Third-party disruptions can have a domino effect on financial operations. In a Gartner survey, 84% of respondents said that third-party risk incidents resulted in disruptions to their operations. By assessing and managing vendor risks, organisations can ensure continuity in their services, even if a vendor faces challenges.
While DORA applies to financial entities, third-party vendors who work with these financial entities are expected to have a DORA-compliant security program in place as well. This is to not only provide assurance of customer data protection with a strong cybersecurity risk program, but also to emphasize the need for reliable availability and business resilience controls throughout the supply chain.
It’s important for third-party vendors to ensure that they can support their financial customers with a robust backup strategy. Many third-party SaaS providers do not guarantee the availability of your account-level data, meaning that you must consider the Shared Responsibility Model (SRM). In short, the SRM outlines how SaaS applications don’t take responsibility for your individual data—which means you are solely responsible for protecting your user-generated data.
Including the Shared Responsibility Model in third-party risk assessments is key to clarifying which aspects of data protection fall on the third-party provider and which remain your company’s responsibility. Often, SaaS providers focus on platform-wide infrastructure availability and security, but aren’t responsible for backing up or restoring your user-generated data.
By analyzing the Shared Responsibility Model during a risk assessment, your company can identify any gaps in backup coverage provided by the provider. The good news? If critical data is not automatically or fully backed up by the SaaS provider, a third-party, platform-independent solution can effectively fill this gap. This ensures that you maintain control over your data protection and recovery processes, minimizing potential data loss and enhancing overall resilience.
Strengthen your business resilience with Rewind
2025 is fast approaching—don’t forget to include SaaS backups in your DORA compliance strategy.
Maintain business continuity, streamline operations, and stay audit-ready with Rewind’s automated data backup and restoration solutions. Our backup and recovery apps integrate directly with your SaaS platforms, allowing you to back up and restore individual items of data or your entire file set with ease. Learn more about protecting your business-critical data with Rewind.
If you’re looking for a comprehensive overview of DORA and steps to start preparing for the upcoming changes, read our guide now.
Megan Dean">
