# Art. 12 — Backup & restoration 1. For the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, as part of their [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework, financial entities shall develop and document: 1. backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data; 2. restoration and recovery procedures and methods. 2. Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods. The activation of backup systems shall not jeopardise the security of the [network and information systems](https://www.mica.wtf/definitions/definitions/dora/network-and-information-system) or the availability, authenticity, integrity or confidentiality of data. Testing of the backup procedures and restoration and recovery procedures and methods shall be undertaken periodically. 3. When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorised access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary. For [central counterparties](https://www.mica.wtf/definitions/definitions/dora/central-counterparty), the recovery plans shall enable the recovery of all transactions at the time of disruption to allow the [central counterparty](https://www.mica.wtf/definitions/definitions/dora/central-counterparty) to continue to operate with certainty and to complete settlement on the scheduled date. [Data reporting service providers](https://www.mica.wtf/definitions/definitions/dora/data-reporting-service-provider) shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times. 4. Financial entities, other than [microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise), shall maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs. [Microenterprises](https://www.mica.wtf/definitions/definitions/dora/microenterprise) shall assess the need to maintain such redundant ICT capacities based on their risk profile. 5. [Central securities depositories](https://www.mica.wtf/definitions/definitions/dora/central-securities-depository) shall maintain at least one secondary processing site endowed with adequate resources, capabilities, functions and staffing arrangements to ensure business needs. The secondary processing site shall be: 1. located at a geographical distance from the primary processing site to ensure that it bears a distinct risk profile and to prevent it from being affected by the event which has affected the primary site; 2. capable of ensuring the continuity of [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) identically to the primary site, or providing the level of services necessary to ensure that the financial entity performs its critical operations within the recovery objectives; 3. immediately accessible to the financial entity's staff to ensure continuity of [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) in the event that the primary processing site has become unavailable. 6. In determining the recovery time and recovery point objectives for each function, financial entities shall take into account whether it is a [critical or important function](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function) and the potential overall impact on market efficiency. Such time objectives shall ensure that, in extreme scenarios, the agreed service levels are met. 7. When recovering from an [ICT-related incident](https://www.mica.wtf/definitions/definitions/dora/ict-related-incident), financial entities shall perform necessary checks, including any multiple checks and reconciliations, in order to ensure that the highest level of data integrity is maintained. These checks shall also be performed when reconstructing data from external stakeholders, in order to ensure that all data is consistent between systems. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-12-backup-policies-and-procedures.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.