AZ Monica crippled by ransomware: why immutable backups matter

A Belgian hospital (AZ Monica, Antwerp) was forced to shut down all servers on 13 January 2026, cancel surgeries and transfer patients after a likely ransomware attack. Here is how immutable, isolated backups prevent the worst — and meet DORA/NIS 2.

The facts

On 13 January 2026, AZ Monica hospital (Antwerp/Deurne) “unplugged” all servers at 06:32, suspended scheduled procedures, and diverted critical patients, with its ER operating at reduced capacity. The hospital cited an ongoing cyberattack, switching to degraded mode and activating its crisis unit. Local sources quickly pointed to ransomware. BleepingComputer confirmed server shutdowns and patient transfers following the attack, publishing the hospital’s statement: BleepingComputer.

Within 24–48 hours, multiple Belgian and EU outlets reported extensive postponements: up to 70 surgeries canceled on day one according to Techzine (Techzine). The Register detailed server shutdowns, canceled procedures, and transfers of critical patients to other hospitals (The Register). A month later, full normal operations had still not been restored per specialist press tracking (Cyberwarzone). Bottom line: deferred care, days of clinical system downtime, and costly emergency mobilization.

This is not an outlier: ransomware continues to target essential services across Europe, and recovery often exceeds a week when backups are impacted or encrypted.

The legal framework

For financial entities, DORA sets clear requirements for continuity and backups: DORA Article 12 mandates “backup policies and procedures, restoration and recovery methods”; activating backups must not jeopardize availability, integrity, or confidentiality. Official references: EBA — DORA, Art. 12 and EUR‑Lex 2022/2554. For a practical overview in Luxembourg, see our page on DORA operational resilience requirements.

For essential/important entities outside finance (including healthcare), NIS 2 requires risk management measures covering continuity and recovery: NIS 2 Article 21(2)(c): “business continuity, such as backup management and disaster recovery, and crisis management.” Official reference: EUR‑Lex 2022/2555. In Luxembourg, the regulator ILR also mandates notifying a significant incident within 24 hours (early warning), then 72 hours, and a final report within 1 month: ILR — NIS 2 FAQ. Compliance teams may use our overview of NIS 2 obligations for essential entities as a guide.

Operational takeaway: an organization under NIS 2 or DORA must prove it can rapidly restore services from backups that are intact, attacker‑tamper‑proof, stored in isolated environments, and regularly tested.

The technical solution to deploy

Goal: survive mass encryption and data theft by restoring fast, without paying.

1) Immutable backups (WORM)

• Principle: make copies non‑modifiable/non‑deletable for a set retention (S3 Object Lock, immutable snapshots, array WORM, digital vaults).
• Effect: even with compromised accounts, ransomware cannot encrypt or purge backup history.

2) Network isolation and authority separation

• Keep primary backups outside the production AD domain, with network segmentation (logical/physical air‑gap) and distinct admin accounts (tiering).
• Access via bastion, strong MFA and least privilege. No permanent mounts; prefer controlled export/ingest windows.

3) Modernized 3‑2‑1‑1‑0 rule

• 3 copies, 2 media, 1 offsite, 1 immutable/offline, 0 errors verified through automated restore tests and integrity checks (checksums).
• Add key rotation and retention aligned to your RPO/RTO (e.g., 7/30/90 days).

4) Access controls and hardening

• Phishing‑resistant MFA for backup consoles; identity vault for break‑glass accounts; tamper‑proof logs.
• Egress/ingress filtering on backup repositories; backup signing; at‑rest/in‑transit encryption with HSM‑backed keys.

5) Regular recovery testing

• Monthly granular restores and quarterly end‑to‑end app recovery (EHR/ERP, databases, files, VMs/containers).
• Systematic RPO/RTO measurement, timestamped evidence and traceability (chain of custody) for audits and notifications.

Frameworks

• ISO/IEC 27001:2022 Annex A.8.13 (Backup), A.5.30 (ICT Continuity).
• NIST CSF 2.0: PR.DS‑08 (data is backed up and protected), RS.RP‑01/02 (response/recovery plans tested).
• CIS Controls v8: Control 11 (Data Recovery), Control 4 (Access Management — separate admin accounts).

How Luxgap implements this

• ISO 27001 governance: scoping DORA/NIS 2 requirements, defining RTO/RPO per business process, mapping critical applications, and drafting Backup & Recovery policies aligned to DORA Art. 12 / NIS 2 Art. 21. We work with certified Lead Implementers/Auditors to document evidence for audits. To accelerate, our business continuity and disaster recovery (BCP/DRP) offering for DORA provides method and tooling.

• 24/7 managed SOC: monitoring backup consoles and immutable repositories (abnormal delete/modify alerts, job failures, exfiltration), detecting ransomware patterns (write bursts, suspicious extensions), SIEM integration for forensics and incident timelines. In practice, our managed SOC for incident detection integrates with your backups and EDR/XDR.

• Fractional CISO/DPO: orchestrating restore drills, crisis communications, and preparing ILR/CNPD/CER notifications on the 24h/72h/1‑month timeline, with decision logs and chain‑of‑custody records.

In practice, we:

1. Audit your architecture (AD domains, backup paths, appliance attack surfaces).
2. Deploy an isolated immutable target (WORM + dedicated network), with separate accounts and roles.
3. Build SOAR playbooks to trigger “backup isolation” upon ransomware detection.
4. Industrialize restore testing (automated runbooks, RTO/RPO metrics, timestamped proof).
5. Align compliance documentation and indicators for DORA/NIS 2.

Real‑world case in Luxembourg/EU

A DORA‑regulated EU financial institution ran “connected” backups within its production domain. In 6 weeks, we:

• migrated repositories to object storage with 30/90‑day WORM lock;
• separated administration (break‑glass accounts off SSO, bastion, FIDO2 MFA);
• added encrypted replication to an isolated secondary site;
• scripted monthly restore tests (DB + critical VMs) with automated reporting.

Outcome: demonstrated 6h RTO for ERP and 2h for messaging; audit‑ready evidence, and a documented ILR/CSSF notification scenario.

Where to start

1. Assess your backups: where they live, who can delete them, and when your last end‑to‑end restore was tested.
2. Enable immutability: on object (S3/compatible), turn on Object Lock (Compliance mode) with proper retention; otherwise use immutable snapshots/WORM appliances.
3. Isolate: remove repositories from prod domain, create a dedicated network with bastion and just‑in‑time access; forbid permanent mounts.
4. Separate roles: distinct backup admin accounts, phishing‑resistant MFA, vault for secrets and keys.
5. Test and measure: restore a critical service this week; capture RTO/RPO, gaps and actions; plan a monthly drill and quarterly crisis exercise.

Official sources

News — AZ Monica (Antwerp), 13–14 January 2026:

• BleepingComputer (server shutdowns, reduced ER, transfers).
• The Register (surgery cancellations, transfers).
• Techzine (~70 surgeries canceled day 1).

Regulatory — backup/continuity obligations:

• DORA, Regulation (EU) 2022/2554, Art. 12 — EBA — DORA Art. 12 and EUR‑Lex.
• NIS 2, Directive (EU) 2022/2555, Art. 21(2)(c) — EUR‑Lex.
• Luxembourg — Significant incident notification (24h/72h/1 month) — ILR — NIS 2 FAQ.

In short: the AZ Monica incident showed that “pulling the plug” freezes care and costs dearly. With immutable, isolated, tested backups governed under DORA/NIS 2, you can restore fast — without paying. Luxgap can get you there in 4–8 weeks with audit‑grade evidence.