ENISA 2026: Separate, tested backups aligned with DORA

ENISA — “Cybersecurity guide for SMEs” (June 2026) requires separate and tested backups

Excerpt — ENISA updated its “Cybersecurity for SMEs” guide: backups must be separated from production and restoration should be tested regularly. Here is how immutable, isolated backups concretely meet DORA (Art. 12) and undercut ransomware.

The facts

ENISA’s “Cybersecurity for SMEs” guide, released in spring 2026, clearly stresses four backup rules: automation, separation from the production perimeter, encryption of copies, and regular restore testing — ideally a full end‑to‑end restoration test. This is stated verbatim in the “Secure Backups” section of the official document (ENISA, Cybersecurity guide for SMEs, 2026).

Why is this reminder timely? Because attackers now target… your backups. On 9 June 2026, Veeam patched a critical flaw (CVE‑2026‑44963) allowing a regular domain user to execute remote code on the backup server if it is joined to Active Directory. A royal entry point to corrupt backups before encryption and extortion. Details and fix: BleepingComputer, 9 June 2026.

The applicable legal framework

For financial entities (banks, PSF, funds, insurers, PSPs…), the DORA Regulation mandates a backup policy and robust restoration/recovery procedures. Article 12 (“Backup policies and procedures, restoration and recovery procedures and methods”) notably requires that backup systems can be activated without compromising security, and that adequate redundant capabilities are maintained — beyond a one‑off copy. Official reference: EUR‑Lex — Regulation (EU) 2022/2554 (DORA), Art. 12.

This DORA requirement combines with NIS 2 (for essential and important entities) and, under GDPR (Art. 32), with the obligation to ensure availability and integrity of personal data. The EU regulator’s message is consistent: your backups must be usable during incidents, and their architecture must withstand attacks that specifically aim at backups.

The technical solution to deploy

In practice, an architecture of “immutable backups + network isolation” delivers the controls expected by ENISA and DORA:

• Backup immutability (WORM, S3 Object Lock, immutable snapshots, logical/physical air‑gap). Goal: prevent changes/deletions during the retention period. Alignments: ISO/IEC 27001:2022 Annex A 5.34 (deletion prevention), A 8.13 (backup), NIST SP 800‑53 CP‑9/10.
• Strict separation of the backup plane from production (accounts, ACLs, network). The backup server must not be in the same Active Directory domain as the endpoints/servers it protects. MFA + bastion access control.
• Encryption at rest and in transit with separate key management (HSM/KMS distinct from the primary cloud — isolation of secrets) to counter exfiltration and satisfy GDPR Art. 32.
• Network segmentation and micro‑segmentation of backup flows (minimal ports/paths, controlled DNAT, application firewalls) to reduce lateral movement towards backup vaults.
• Regular restore testing (recovery runbooks, measured RTO/RPO, documented exercises). Highlighted by ENISA: “test of a full restore from start to finish” — essential for DORA Art. 12.
• Monitoring and hardening of the backup platform (tamper‑proof logs, EDR on backup servers, detection of retention policy sabotage, alerting on mass deletions/abnormal volume drops).

In addition, the BSI’s “Top‑10 anti‑ransomware measures” reminds that the design of the backup capability is the single most important preventive measure to preserve availability during an attack (BSI — Data backup concept).

How Luxgap delivers this

• Our ISO 27001 governance: we structure the backup policy (BCP/DRP), roles, flow matrix, key management, and evidence of compliance with DORA Art. 12. Our Lead Implementer/Lead Auditor consultants translate requirements into verifiable controls (Annex A 8.13, 5.30, 5.34).
• Our Managed SOC: we integrate logs from vaults/arrays/objects (immutability, lock failures, mass deletions), correlate with EDR, and raise alerts if an account attempts to break retention or if unexpected flows hit the backup network.
• Our outsourced DPO and CISO: we align the backup strategy with GDPR (Art. 32) and NIS 2 obligations, write restoration runbooks, schedule and time recovery tests to demonstrate RTO/RPO to authorities (CSSF/ILR) in case of incident.

Our approach is pragmatic: a “target design” in 2–4 workshops, iterative implementation (immutable vault, AD decoupling, bastion, EDR), then a full restoration exercise documented as a DORA evidence pack.

Real‑world case in Luxembourg or the EU

Realistic example: a Luxembourg management company under DORA had a backup server joined to its AD and modifiable snapshots. In six weeks, we:

• migrated critical backups to an immutable data vault (S3 lock + WORM retention),
• decoupled the control plane (dedicated local admin accounts, MFA bastion),
• segmented flows (dedicated VLANs, minimal L4/L7 rules, copy logging),
• executed an end‑to‑end ERP restore to a recovery site, with measured RTO and signed evidence.

Result: demonstrable compliance with DORA Art. 12, reduced risk of backup sabotage, and tested recovery capability — exactly what ENISA recommends.

Practical first steps

1. Isolate your backup this week: if your backup server sits in the same AD as production, urgently create a dedicated local admin account and enforce MFA bastion access; block unnecessary flows.
2. Enable immutability: if you use S3‑compatible object storage, enable Object Lock (compliance mode) on a “vault” bucket with minimal retention (e.g., 14–30 days) and versioning.
3. Patch the backup stack: apply the latest fixes to your backup software and remove unnecessary network exposure — see the recent alert Veeam CVE‑2026‑44963.
4. Schedule a full restore test: pick a critical system, define a scenario, and measure RTO/RPO. Keep logs, screenshots, and attestations — these will be your DORA evidence.
5. Document the policy: formalize your backup policy and restoration procedures (who, what, when), aligning with DORA Article 12 and ENISA’s recommendations.

Official sources

• ENISA — Cybersecurity guide for SMEs, “Secure Backups” section (June 2026): PDF
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA), Article 12: official text
• Technical news — Veeam fixes RCE flaw impacting backup servers (9 June 2026): BleepingComputer
• BSI — Ransomware: “Data backup concept” (structuring measures): bsi.bund.de