DORA Does Not Mandate Multi-AZ or Multi-Region — It Demands Proof of Recovery
The EU's Digital Operational Resilience Act (DORA) sets strict ICT resilience rules for financial entities but never references availability zones or multi-region cloud architectures in its text. Instead, Article 12 requires organisations to maintain redundant ICT capacity, keep backups on systems physically and logically separate from the source, and define their own recovery time and recovery point objectives based on each function's criticality. A secondary processing site requirement does exist within DORA, but it applies only to central securities depositories and central counterparties — not to typical banks or SaaS vendors. Even where the secondary site rule applies, the regulation focuses on distinct risk profiles and geographic separation from threats, not on specific technical configurations. The core question DORA poses to any organisation is whether it can prove, per application, how long it can afford to be down and how much data it can afford to lose.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in