Responding to the EU Digital Operational Resilience Act (DORA) with Oracle Zero Data Loss Autonomous Recovery Service (ZRCV)

 

This blog is dedicated to providing a better understanding of how the Oracle Cloud Infrastructure (OCI) and Multicloud (Amazon Cloud Service (AWS), Microsoft Azure Cloud, Google Cloud (GCP)) Oracle Database Services (ExaDB-D, BaseDB) protection with Oracle Zero Data Loss Autonomous Recovery Service (ZRCV) can help with the implications of the recently enforced European Union (EU) Digital Operational Resilience Act (DORA). The nature of the blog is not technical and is intended to highlight some relevant DORA-specific requirements for Data Security and Cyber Resilience in the specific ZRCV technical feature set.

We partially addressed DORA Immutability and Air-Gap requirements in the blog Enhancing Cloud Cyber Security with Immutable Oracle Zero Data Loss Autonomous Recovery Service.

Let’s start by defining the ZRCV service’s Immutability:

ZRCV as an Immutable Cloud Service is an isolated Oracle-managed solution that provides automated lifecycle management with strict policy-based retention management, which prevents deletion or alteration of backup data.

Let’s map out relevant DORA regulation Articles against specific ZRCV technology areas[1]:

  • Article 7: ICT systems, protocols and tools
  • Article 8:  identification
  • Article 9:  protection and prevention
  • Article 10: Detection
  • Article 11: Response and recovery
  • Article 12: Backup policies and procedures, restoration and recovery procedures and methods

Let’s look at some of the specific requirements set out in these articles and review how ZRCV can help address them as a fully integrated, cloud-native service as part of Oracle Database Services’ secure delivery.

Article

Requirement

ZRCV Features

Article 7 –

ICT systems, protocols and tools

In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:

  • appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle
  • reliable;
  • equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
  • technologically resilient in order to adequately deal with additional information processing needs as required under stressed market conditions or other adverse situations.

Oracle OCI and Multicloud deployment encourage using the latest available Oracle Database versions for enhanced security. Oracle provides the most up-to-date Exadata Hardware Platform, which is also being leveraged for the ZRCV infrastructure.

ZRCV scalable capacity is accomplished by the service elasticity of the Oracle-managed Recovery Appliances fleet.

Resiliency comes in multiple ways: infrastructure deployment with high availability paired appliances that not only provide additional resilience but also help eliminate dependencies from operational maintenance and downtime.

 

Article 8 – Identification

[…] financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. Financial entities shall review as needed, and at least yearly, the adequacy of this classification and of any relevant documentation. […]

OCI and Multicloud provide a variety of tools such as Database Security Assessment Tool (DBSat), Real Application Testing (RAT), etc. In addition to this layered cyber defence, ZRCV is fully integrated with cloud Role-Based Access Control (RBAC) management, which helps to facilitate defining roles and responsibilities in the backup environment with granular security policy settings designed to provide for targeted access control restrictions. 

Article 9 – Protection and prevention
  • […] financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
  • Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
  • […] financial entities shall […] implement policies that limit the physical or logical access to information assets and ICT assets […]

OCI and Multicloud (Azure and GCP, future AWS) provide the necessary tools that help implement the Maximum Availability Architecture “Gold” level of resiliency and are built following the Maximum Security Architecture from the ground up.

ZRCV, as an Immutable Service, is a fundamental part of the Maximum Availability Architecture and helps to: (1) provide transaction-level database protection (2) maintain Oracle Transparent Data Encryption (TDE) throughout the backup lifecycle, and (3) enforce Policy-based backup lifecycle management outside of the customer-managed environment. Prevention is based on the built-in automated backup validation at the source, in-flight, and at rest.  

Article 10 – Detection
  • Financial entities shall have in place mechanisms to promptly detect anomalous activities  […]
  • All detection mechanisms referred to in the first subparagraph shall be regularly tested  […]
  • The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response.

OCI and Multicloud provide a wide variety of early-detection tools, such as Identity Management monitoring, database data compromise, etc. ZRCV is a part of the Cyber Resilience enablement with built-in automated instant backup validation at the source, in-flight, and at rest. In addition, ZRCV is designed to provide full visibility into the backup health monitoring and potential data loss, enabling automated OCI Alert and Metric Explorer frameworks.    

Article 11 – Response and  recovery
  • […] financial entities shall put in place a comprehensive ICT business continuity policy […]  forming an integral part of the overall business continuity policy

Financial entities shall implement the ICT business continuity policy through dedicated, appropriate and documented arrangements, plans, procedures and mechanisms aiming to:

  • ensure the continuity of the financial entity’s critical or important functions;
  • […] resolve all ICT_related incidents in a way that limits damage and prioritizes the resumption of activities […] 
  • activate, without delay […] response and recovery procedures established in accordance with Article 12 […] 
  • estimate preliminary impacts, damages and losses […] 

OCI and Multicloud are designed to provide full Cyber Security assessment and planning services, including Backup and Recovery, Disaster Recovery, and Business Continuity.

Oracle Consulting and Customer Success Services can help create policies and procedures and help manage or maintain ZRCV customer environment to ensure that the setup complies with customer requirements. ZRCV helps to limit potential exposure to any cyber or rogue actor attack by isolating ZRCV Oracle-managed tenancy from any customer or any other access, using Oracle Private Endpoint secure network as the only one-directional access point to the managed environment. In addition to the transaction-level database protection, it is designed to minimize or eliminate potential data loss in case of a business-critical event.   

Article 12 – Backup policies and procedures, restoration and recovery procedures and methods
  • For the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss […] financial entities shall develop and document backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data […]
  • […] financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT system shall be securely protected from any unauthorised access or ICT corruption […]
  • […] recovery time and recovery point objectives […]  shall ensure that […]  service levels are met […]
  • […]  ensure that all data is consistent between systems […]

ZRCV provides unique capabilities that help eliminate dependency on unpredictable backup cadences by introducing continuous transaction-level database protection with near-zero RPO and the Lowest RTO for Databases. Customers can pick and choose their SLAs for different levels of protection for business-critical assets versus less critical environments like test/dev environments.

Recovery SLAs are optimized because ZRCV operates on the “incremental forever” strategy while generating a verified full virtual backup for a one-step rapid recovery that helps to minimize potential downtime.

ZRCV Oracle-managed tenancy is fully isolated from any customer access. In addition to it, ZRCV as an Immutable Service, also leverages logical Air-Gap backup data isolation designed with the fully redundant, highly-available hardware appliances deployment in mind.

Data consistency is based on the multi-level backup data block-level validation at the source, in-flight, at rest, and during replication between the appliances.

 

Conclusion

With the EU Digital Operational Resilience Act (DORA) having entered into force on January 17, 2025, many organizations are continuing to evaluate their current IT infrastructure in light of the requirements laid down by DORA. Let’s recap what Oracle Cloud Services, together with the Recovery Service (ZRCV), can offer as a unified DORA-oriented solution:

For Oracle databases in OCI and Multicloud (Azure, Google Cloud (GCP), AWS), ZRCV as an Immutable Cloud Service is designed to support digital operational resilience, including:

  • Separate Oracle-managed service tenancy, isolated from a customer or any other potentially malicious access
  • Built-in logical Air-Gap
  • Built-in backup validation throughout the entire lifecycle: at the source, in-flight, at rest, during replication
  • Private endpoint networks for all customer tenancy interactions with ZRCV
  • Mandatory end-to-end encryption of production data to backups and Long-term Retention
  • End-to-end encryption throughout backup and long-term retention lifecycle leveraging the external to backup database source Oracle Transparent Data Encryption (TDE)
  • Security-hardened Exadata platform hardware and OS 
  • Alignment with Oracle Maximum Availability and Security Architecture
  • Enforced access controls to help meet the Service Immutability requirements
  • ZRCV end-to-end complete backup and recovery lifecycle management with database-aware protection health monitoring and reporting

 While we are fully aware that this blog does not address the entire complexity of the DORA requirements, it provides a set of initial discussion points for interested parties that are either starting or already engaged in DORA compliance-related conversations with the Oracle sales teams, their CISOs, or their Product Management counterparts.

Disclaimer:

The information in this blog may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their use of Oracle services. The relevant contract(s) between you and Oracle determine(s) the scope of services provided and the related legal terms. The information in this blog is provided for reference only and is not part of, and does not otherwise create or amend, any agreement, warranties, representations or other obligations between you and Oracle. Oracle disclaims any terms or statements contained in this blog that seek to impose legal or operational requirements on Oracle for the delivery of the services. Customers and prospective customers acknowledge that they remain solely responsible for meeting their legal and regulatory requirements.

[1] The information in this table includes extracts of DORA. The official text is published in the Official Journal of the European Union: https://eur-lex.europa.eu/eli/reg/2022/2554/oj

[2] OCI Autonomous Recovery Service page

[3] Replay: Introducing OCI Autonomous Recovery Service

[4] OCI Autonomous Recovery Service documentation