Question ID: DORA038 - 2991
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: Other DORA topics
Article: 12
Status: Final
Date of submission: 14 Feb 2024
Question
Art. 12 III DORA: When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. What does DORA mean by "recovering backed-up data using own systems"? What does "own systems" mean? What is the source ICT system? The productive system whose data is backed-up or the system where the backed-up data is stored?
EIOPA answer
The terms “own systems” and “source ICT systems” are not defined in DORA. However, in order to understand the policy intention behind Article 12(3) of DORA, the provisions should be understood as restoring the backup data by using ICT systems for which the financial entity has full control and responsibility. When the financial entity restores the backup data, it shall use ICT systems that are not directly connected with the main one and that are securely protected from any unauthorized access or ICT corruption.