West Pharmaceutical (4 May 2026): why immutable, isolated backups are vital (DORA)

Excerpt — On 4 May 2026, West Pharmaceutical Services suffered a ransomware attack with data exfiltration and encryption, forcing the shutdown of manufacturing and shipping systems. Here is the technical solution that avoids prolonged downtime and meets DORA.

What happened

On 4 May 2026, West Pharmaceutical Services (a global manufacturer of drug delivery solutions) detected a ransomware attack that led to data theft and system encryption. The company confirmed the incident in an SEC 8‑K filing and reported global disruptions affecting production, receiving and logistics, before gradually restarting from 14 May. Sources: West’s 8‑K filing of 11 May and subsequent press coverage (SEC 8‑K, 05/11/2026; Cybersecurity Dive, 05/14/2026).

Verified highlights:

• Intrusion detected on 2026‑05‑04, involving data exfiltration and encryption of critical systems (production, shipping, shared services). Source.
• Shutdowns and recovery plans officially communicated, with a site‑by‑site restart and a later statement that the financial impact would be non‑material. Source.

This case reflects a now‑common pattern: ransomware combines data theft (media/regulatory pressure) and encryption (operational pressure), directly impacting the healthcare supply chain.

The applicable legal framework

For financial entities and similar organisations operating in Luxembourg and Europe, ICT operational resilience falls under DORA – Regulation (EU) 2022/2554 (in force since 17 January 2025, ramp‑up 2025–2026). Two obligations are central to the ransomware risk:

• Article 11: ICT business continuity policy, with backup and recovery procedures, data loss (RPO) and recovery (RTO) thresholds, and regular recovery exercises. Eur‑Lex – DORA.
• Article 12: Backup strategies and policies ensuring integrity, availability and authenticity of data (including tamper‑proof backups and proper isolation), with periodic restore testing. Eur‑Lex – DORA.

In practice, supervisors (in Luxembourg: the CSSF for financial entities) expect evidence: compliant backup architecture, replication logs, restore test reports, and measured RPO/RTO indicators. An operational implementation can be framed via a business continuity and disaster recovery plan and supported by our structured overview of DORA. NIS 2 operators (ILR in Luxembourg) converge on the same resilience and technical evidence requirements.

The technical solution to deploy

Objective: ensure that production encryption neither blocks rapid recovery nor re‑introduces malware during restore. The winning 2026 combination:

• Immutable backups (WORM/Object Lock): copies are append‑only and locked for a defined period (legal/operational retention). No admin key can modify or delete them during retention. Applicable to on‑prem S3‑compatible object storage and modern backup appliances.
• Network isolation (logical/physical air‑gap): the primary backup repository is segmented (VLAN/VRF) and protected by dedicated ACLs and firewalls; the secondary repository (vault) is disconnected by default (e.g., separate accounts/tenants, one‑way pull, no persistent SMB/NFS mounts).
• 3‑2‑1‑1‑0 strategy: 3 copies, on 2 media, 1 offsite, 1 immutable/isolated, 0 restore errors verified by regular tests.
• Hardened authentication chain: phishing‑resistant MFA on backup consoles, out‑of‑band break‑glass, dedicated just‑in‑time accounts, and an approval workflow for any immutability unlock.
• Pre‑restore detection: anti‑malware/EDR scanning of backup sets before restore, executable safelists, and “net‑new” restore plans (clean networks, hardened gold images).
• Scenario‑based restore tests: quarterly exercises (tabletop + dry‑run) covering a critical app restore, site failover, and proof of meeting RPO/RTO.

Reference frameworks: ISO/IEC 27001:2022 Annex A.8.13 (backups) and A.5.30 (ICT readiness for continuity), NIST CSF 2.0 PR.DS‑07 (data protection) and RC.MI‑04 (tested recovery capability), plus CIS Controls 11 (data recovery).

How Luxgap implements this

• Our ISO 27001 governance: define RPO/RTO per critical process, map applications and data flows, select retention levels (operational/legal) and immutability policy (time locks, dedicated KMS keys, role separation).
• Our 24/7 managed SOC: monitor backup jobs (success/failure, volume drifts, abnormal dedupe ratios), correlate with EDR/XDR, and detect NAS/VM mass‑delete/mass‑encrypt. On‑call escalation with runbooks to pivot to the immutable vault; see our managed SOC.
• Our outsourced CISO/DPO consultants: alignment with DORA/NIS 2 (Articles 11–12 and NIS 2 Art. 21), exercise scenarios, minutes and evidence for CSSF/ILR inspections. We document compliance and maintain it through monthly indicators.

Practically, we build an immutable vault with Object Lock in compliance mode (or a WORM appliance), an isolated landing zone for malware scanning, and a portfolio of timestamped restore exercises. Access is zero trust (phishing‑resistant MFA, PAM for backup consoles), and each WORM unlock follows dual approval with a signed audit trail.

Real‑world case in Luxembourg or the EU

Example (anonymised): a regulated fiduciary in Luxembourg, subject to DORA and NIS 2, ran classic continuously replicated backups. Target: RPO ≤ 4h, RTO ≤ 8h, with auditable evidence.

• Weeks 1–2: architecture review, application classification (Tier 0/1/2), define backup/restore windows and immutable sets, integrate a separate KMS.
• Weeks 3–4: deploy a WORM repository (on‑prem S3‑compatible) and an out‑of‑band vault, network segmentation, enhanced logging, FIDO2 MFA.
• Weeks 5–6: application restore exercises + DORA Art. 11 tabletop (ransomware attack), captured RPO/RTO metrics. Result: controlled restore in 6h30 on a full‑encryption scenario of an app VM, with zero re‑infection thanks to pre‑restore scanning and a clean landing zone.

First concrete steps

1. Measure your actual RPO/RTO: pick a critical app and restore it this week in an isolated environment. Record restore time and data loss. This is your DORA Art. 11 baseline.
2. Differentiate backup vs retention: enable an immutability set (Object Lock/WORM) with 14–30 days’ retention and read‑only access. Separate accounts/tenants and KMS keys.
3. Separate networks: put the immutable vault in a non‑routed segment, no persistent mounts, with one‑way pull flows from the target.
4. Harden consoles: FIDO2 MFA for backup admins, PAM for break‑glass accounts, SOC alerts on any delete/change retention attempt.
5. Exercise plan: schedule a quarterly ransomware tabletop and a dry‑run restore, with minutes and metrics. This is your DORA Art. 12 evidence.

Official sources

• Trigger event — West Pharmaceutical Services: Form 8‑K (05/11/2026); summary article Cybersecurity Dive (05/14/2026).
• Regulatory framework — Regulation (EU) 2022/2554 (DORA). For local implementation, see our DORA and operational resilience page.

Key message for leaders in Luxembourg, Belgium, France, Germany and across the EU: the West case (04/05/2026) shows that without immutable, isolated, and tested backups, a ransomware attack can paralyse operations. With proven architecture, regular testing and DORA‑compliant evidence, the incident becomes a setback, not a crisis. To assess your posture and plan exercises, engage our BCP/DRP offering or leverage a managed SOC for continuous monitoring.