SBTechnical Marketing Writer
The financial sector has always operated under strict regulatory expectations, but the Digital Operational Resilience Act (DORA) marks a new chapter. DORA demands that organisations prove they can withstand Information and Communication Technology (ICT) disruptions and recover quickly. The act puts pressure on how financial companies protect their data and validate their systems, raising the bar on how backup data is stored.
Why DORA is relevant now more than ever
The latest Threat Landscape report from ENISA (the EU’s cyber security agency) confirms that ransomware continues to intensify across the EU, driven by ransomware-as-a-service models and rapid exploitation of vulnerabilities. This makes it the most economically damaging category of cyber incident - and the impact isn’t limited to isolated outages or companies with weak security defences. A single compromised system can negatively affect customers, markets, and vendors connected to it. The purpose of DORA is to make resilience an industry requirement.
For many organisations, this means reassessing long‑held assumptions about their ability to recover from an attack. It also means recognising that financial data compliance now extends beyond preventing breaches, and it includes demonstrating that backup data remains intact and recoverable after a breach.
DORA - changing how organisations operate
DORA elevates ICT risk to a governance responsibility. Boards and executive teams must understand how their systems behave during a disruption and what it takes to restore operations. The regulation also forces organisations to look closely at the systems they rely on every day. Backup environments, vendor relationships, and recovery processes are now central to meeting industry regulations tied to financial data compliance.
The real challenge: proving resilience, not declaring it
Many organisations have policies that look strong on paper but fall short when tested. DORA exposes this gap. It requires evidence that systems can recover without issue, that data is protected from tampering, and that recovery processes work during an attack.
This is where backup architecture plays a leading role. If recovery data is compromised or restoration is delayed, resilience - and consequently financial data compliance - inevitably suffer.
Where most organisations are still unprepared
Even well‑resourced teams often overlook areas that matter most during an incident:
- Incomplete segmentation: networks need to be segmented to contain breaches, including logical separation of backup software and storage that will withstand an attacker who has gained administrator credentials
- Untested recovery processes: Procedures that have not been validated end-to-end from external penetration testing to complete recovery
- Limited visibility: uncertainty about how data is stored, protected, and restored, as well as lack of documentation
Focusing on these areas will help organisations build the resilience needed for DORA compliance, even when under attack.
How Object First can help
DORA makes clear that operational resilience depends on the ability to securely restore ICT systems and data without integrity loss or corruption. If organisations cannot recover clean, uncompromised data, they can’t ensure the continuity of critical services.
This is where Object First backup storage comes in. Absolute Immutability ensures that backup data cannot be altered or deleted by anyone, removing the risk of tampering even in the worst‑case scenario where all credentials are compromised. It gives organisations a dependable last line of defence, and it supports the level of assurance regulators now expect.
To learn more about how absolutely immutable backups can ensure operational resilience and by extension regulatory compliance, download our guide to Digital Operational Resilience Act (DORA).