Immutable, isolated backups: meeting DORA on ransomware resilience

Excerpt — DORA mandates restorable, isolated backups to keep operations running during major incidents. Here is how immutable backups and network isolation fulfill these obligations without unnecessary complexity.

What the law requires

The DORA Regulation (EU) 2022/2554, effective since 17 January 2025, requires financial entities to have an ICT continuity policy and response and recovery mechanisms covering backup and restoration.

• Article 11 – Response and recovery: ICT continuity policy covering rapid activation of plans and containment technologies, with prioritization of restoring critical functions. EUR‑Lex – DORA.
• Article 12 – Backups and restoration: implementation of backup systems triggered according to documented, periodically tested policies and procedures; restoration on systems physically and logically separated from the source system, protected against unauthorized access and corruption, enabling timely recovery. EUR‑Lex – DORA.

In Luxembourg, the CSSF underscores DORA’s primacy since 17 January 2025 and embeds these requirements in its 2026 supervisory priorities. CSSF – DORA go‑live; CSSF – 2026 priorities.

Finally, ENISA reiterates that ransomware resilience hinges on regular, network‑isolated backups and application of the 3‑2‑1 rule. ENISA – Ransomware: good practices.

The technical solution (state of the art)

The combined approach of immutable backups + network isolation ensures that even if production is compromised (ransomware, wiping, sabotage), healthy, tamper‑proof, and rapidly restorable copies remain.

1) Backup immutability

• WORM storage (write‑once, read‑many) or time locks (object lock) making blocks/chunks unmodifiable for a defined retention period.
• Chain of trust: signed catalogs, per‑version hashing, append‑only logs.
• Encryption at rest and in transit (AES‑256/GCM, TLS 1.2+), separate key management.

2) Network isolation and clean room

• Physical/logical segregation: dedicated backup network, isolated VLANs/VRFs, default‑deny firewalls, and no‑route from production to vaults.
• Separate admin accounts and MFA, least‑privilege PAM to shrink the blast radius upon compromise.
• Clean‑room restoration environment to validate and bring services back without reintroducing infection.

3) Retention strategy and testing

• 3‑2‑1‑1‑0 rule: 3 copies, 2 media, 1 off‑site, 1 immutable/air‑gapped, 0 errors (automated verifications and regular restore tests). Aligned with ENISA guidance. ENISA.
• RPO/RTO objectives aligned to business impact analysis and DORA art. 11 “critical or important” functions.

4) Telemetry and detection

• Anomaly detection (change rate, entropy, encrypted extensions) on backup streams.
• Immutable logging (WORM) for post‑incident forensics and reporting obligations.

5) Control frameworks

• ISO/IEC 27001:2022: A.8.13 (information backup), A.5.30 (secure configuration), A.5.23 (privileged account management).
• NIST CSF 2.0: PR.DS (Data Security – protected backups), RS.MI/RC (improvement and recovery), IR‑P for exercises.
• CIS Controls v8: Control 11 (Data Recovery), Control 5 (Account Management), Control 13 (Network Monitoring and Defense).

How Luxgap implements this

Our approach is pragmatic, grounded in DORA requirements and local operational realities:

• ISO 27001 governance: our certified Lead Implementers/Auditors define the backup policy (art. 11), set roles and target architecture (environment separation, RPO/RTO, restoration matrix), and align DORA documentation (policies, procedures, test evidence).
• Our managed SOC: 24/7 monitoring of backup vaults, anomaly detection on jobs/volumes (encryption‑like behavior, mass deletions), correlation with endpoint/network alerts, and execution of kill switches (segment isolation, failover to immutable copies).
• Our fractional DPO and CISO: lead clean‑room restore exercises and prepare post‑incident reporting (lessons learned, periodic test evidence) expected by the CSSF under DORA. Reference: CSSF.

Practically, we deliver in four sprints: (1) mapping critical functions and dependencies (on‑prem/cloud/SaaS), (2) design of WORM + isolated network + PAM, (3) deployment and immute‑lock of vaults, (4) timed restore tests with DORA reporting.

Case in Luxembourg or the EU

An investment management firm supervised by the CSSF, multi‑cloud, had backups on unlocked object storage and a backup network routable from production. In 6 weeks:

• Enabled Object Lock with 30/90‑day retention, signed catalogs, and app‑dedicated buckets.
• Built an isolated backup network (VRF + L3/L7 firewalls), removed reverse routes, and deployed an admin bastion with MFA and dedicated accounts.
• Deployed a clean‑room restore environment (virtualization cluster + EDR, no default Internet connectivity).
• Recovery scenario tested: core PMS restored in 2h40, without re‑introducing malicious payloads (EDR/AV analysis before go‑live).

Result: demonstrable compliance with arts. 11 and 12 (policies, procedures, test logs), integrated into the DORA dossier and auditable by the CSSF. References: EUR‑Lex – DORA; CSSF – 2026 priorities.

First concrete steps

1. Verify isolation: audit connectivity to your backup vaults. No inbound routes from production; dedicated accounts and MFA.
2. Enable immutability: configure WORM/Object Lock with retention and legal hold on at least one daily and one weekly set.
3. Test a clean‑room restore: restore a critical app this week, measure RTO/RPO, and document the runbook (DORA art. 12 – periodic testing).
4. Secure the catalog: sign and out‑of‑band back up metadata (catalogs/manifests) with WORM logging.
5. Monitor: stream backup logs to your SIEM/SOC; alert on failure spikes, retention changes, and high entropy.

Official sources

• EUR‑Lex – Regulation (EU) 2022/2554 (DORA), arts. 11 and 12
• CSSF – DORA effective 17 January 2025
• CSSF – 2026 supervisory priorities for the fund sector
• ENISA – Ransomware: recommendations (isolated backups, 3‑2‑1 rule)