DORA Article 11 has been in force since January 17, 2025. For financial entities in scope, backup is no longer an IT hygiene item — it is a board-level continuity capability with explicit evidence requirements. The gap most teams discover at audit time: they can show jobs ran, but they cannot prove recovery would work when it matters. Continuous Resilience Enforcement closes that gap by producing the evidence carriers regulators expect — automatically, with timestamps that survive forensic scrutiny.
Who is in scope for DORA Article 11
DORA applies to financial entities operating in the EU — including banks, payment institutions, investment firms, insurance undertakings, crypto-asset service providers, and critical ICT third-party service providers. Article 11 specifically addresses ICT business continuity: backup, recovery, and the ability to demonstrate those capabilities under examination.
Even if your organization is US-based, the same evidence artifact satisfies overlapping requirements: SOC 2 Type II operating effectiveness, NIS2 Annex I/II for critical infrastructure, and cyber insurance forensic audits. As the Why Forttic page notes, ransomware and insurer drift audits do not respect geography — 25–40%+ of cyber claims are now denied for control drift between application and incident.
Not sure where your estate stands? Start with the free CRE resilience assessment or read our CRE overview for how enforcement sits above your existing backup stack.
Why backup is governance now
Article 11 names ICT continuity and recovery as operational resilience requirements. Regulators are not asking whether you have a backup policy. They are asking whether you can demonstrate geographic separation, recovery testing, and continuity capability — continuously, with timestamps that survive forensic scrutiny.
"We have backups" is not evidence. "We proved isolated recovery for tier-1 workloads on this date, with these guardrails, and remediated three drift events since the last review" is.
This shift mirrors what cyber insurers already do: compare what you attested at application against what was running at incident. Backup configuration is not enforcement. Policy attestation is not proof. That is the core argument behind Continuous Resilience Enforcement — and why posture-only tools leave the hardest compliance work on your team.
What regulators actually ask for
In pre-audit questionnaires and on-site reviews, three questions recur across DORA, NIS2, and SOC 2 Type II contexts:
- Can you prove backup copies are geographically separated from production — validated against cloud metadata, not self-reported configuration?
- When did you last perform an isolated recovery test — not a mount, a full clean-room restore?
- What changed in your backup posture since the last review, and who approved it?
Console exports and quarterly slide decks rarely answer all three. Continuous enforcement produces the audit trail by default — mapped to specific Article 11 paragraphs, exportable on demand through Forttic's Report stage.
Forttic CRE mapping
Forttic maps enforcement actions to DORA Article 11 paragraphs automatically — geographic separation checks, recovery test records, and drift remediation timestamps become exportable evidence packages on demand. No manual assembly before the examination.
The five evidence carriers
What should a DORA Article 11 evidence package include? A credible package typically contains five carriers. Most organizations have one or two; regulators expect all five with continuous timestamps:
- Configuration posture — immutability, Object Lock, retention alignment to policy, and 3-2-1-1-0 layer compliance across vendors
- Recovery test records — clean-room restore with pass/fail, scope, RTO/RPO measurement, and workload tier
- Drift remediation log — what changed, when, under which guardrail, with before/after state
- Coverage map — assets protected vs. exposed, cross-vendor, including what runs where and what should be protecting it
- Decision audit trail — who or what authorized retention, coverage, or immutability changes
Sample evidence export
Evidence packages are generated as structured exports from Forttic's Report stage. A simplified JSON fragment might look like:
{
"standard": "DORA Article 11",
"framework": "CRE 3-2-1-1-0",
"workload": "tier-1-eu-payments",
"last_isolated_restore": "2026-05-15T14:22:00Z",
"geo_separation": "verified",
"immutability_status": "object_lock_governance",
"drift_events_remediated": 3,
"coverage_gaps": 0
}
How CRE maps to Article 11
Each evidence carrier maps directly to a stage in the Continuous Resilience Enforcement loop:
- Discover → coverage map and asset inventory (what is protected vs. what should be)
- Assess → configuration posture scoring against DORA, NIS2, and 3-2-1-1-0 policy
- Enforce → drift remediation log with guardrail attribution and before/after state
- Verify → recovery test records from clean-room restores on tier-1 workloads
- Report → exportable Article 11 evidence package with regulator-mapped controls
This is the difference between observation and enforcement for compliance. CBPM tools may surface configuration posture; they do not close the loop with verified recovery proof and continuous drift remediation. Forttic does — cross-vendor, vendor-neutral by structure, above Veeam, Commvault, Druva, and every cloud-native backup service. See vendor coverage for the full integration list.
For example decisions Forttic delegates — DORA Article 11 evidence on demand, Object Lock tampering detection, clean-room test gap analysis — see Ask Forttic.
Why quarterly theater fails
Annual or quarterly restore drills produce a moment-in-time snapshot. Between drills, tag drift, silent job failures, and retention changes accumulate. Underwriters and regulators increasingly treat point-in-time proof as insufficient operating effectiveness — the same pattern named in cyber insurance denials and SOC 2 Type II examinations.
Continuous enforcement does not replace scheduled drills for tier-1 workloads — it supplements them with lightweight integrity checks across every protected asset, catching the silent-failure pattern before ransomware does. 96% of ransomware attacks target backup repositories; when they succeed, the median ransom doubles. CRE's Verify stage removes the leverage by proving immutability and clean recovery continuously.
What week one looks like
Teams implementing continuous DORA evidence collection typically follow this path — the same onboarding described on the homepage and CRE Framework page:
- Day 1–2: Read-only IAM connection, automatic asset discovery across cloud and backup vendors
- Day 3–5: Initial posture scoring against DORA Article 11, NIS2, and SOC 2 mappings
- Week 1: First isolated-recovery records for tier-1 workloads
- Week 2+: Decision guardrails defined with your team; enforcement skills activate within bounds you authorize
No agents on production. No production data stored. Decision execution limited to the backup estate. Agentic architecture — knowledge, memory, triggers, skills, tools — is detailed on How Forttic Decides.
Frequently asked questions
When did DORA Article 11 take effect?
DORA Article 11 enforcement has been in force since January 17, 2025. For in-scope financial entities, backup and ICT continuity are board-level governance requirements with explicit evidence expectations — not IT hygiene checkboxes.
Who must comply with DORA Article 11?
DORA applies to financial entities in the EU — banks, payment institutions, investment firms, insurance undertakings, crypto-asset service providers, and critical ICT third-party providers. Article 11 covers ICT business continuity and demonstrable backup/recovery capability.
What evidence do regulators ask for on backup?
Three questions recur: Can you prove geographic separation of backups? When did you last perform an isolated recovery test — not just a mount? What changed in backup posture since the last review, and who approved it? Console green lights are not sufficient.
Why is quarterly restore testing insufficient for DORA?
Drills produce point-in-time snapshots. Between drills, drift and silent failures accumulate. DORA, NIS2, and SOC 2 Type II increasingly expect operating effectiveness over time — continuous evidence, not periodic theater.
Does DORA Article 11 overlap with NIS2 or SOC 2?
Yes. All three expect continuous proof of backup controls. The same Forttic evidence carriers — configuration posture, recovery tests, drift logs, coverage maps, audit trails — satisfy DORA Article 11, NIS2 Annex I/II, and SOC 2 Type II backup requirements.
Does Forttic replace backup tools for DORA compliance?
No. Forttic is a Continuous Resilience Enforcement layer above existing backup vendors. It maps enforcement actions to Article 11 controls and exports evidence on demand — without rip-and-replace. Keep Veeam, Commvault, Druva, or whatever you run today.
How does Forttic help with DORA Article 11?
Forttic runs the CRE loop continuously: discovers assets, assesses drift against Article 11 mappings, enforces within guardrails, verifies isolated recovery, and reports exportable evidence packages on demand. See our CRE overview for how enforcement fits your stack.
We're in the US, not the EU. Does this still apply?
DORA is EU-specific, but SOC 2 Type II, cyber insurance forensic audits, and ransomware recovery proof apply globally. The same timestamped evidence artifact satisfies all of them — operating effectiveness over time, not geography-specific attestations.