Dowiedz się więcej na temat naszych produktów. Zobacz nasz blog
  • EN
  • PL
    • Wizards
    Umów się na rozmowę
    Umów się na rozmowę

    Current trends and challenges in managing personal data retention in information and communication technology (ICT) systems in the context of NIS2 and DORA requirements

    DORA NIS2 Wizards

    Personal data retention management in ICT systems faces unprecedented challenges resulting from increasingly restrictive regulatory requirements in the field of cybersecurity and personal data protection. The NIS2 Directive and the DORA Regulation introduce new standards for information security and digital operational resilience that directly affect how organisations must manage the information lifecycle, including personal data in particular.

    NIS2 focuses on the security and continuity of IT systems, requiring key and important entities to implement advanced ICT risk management procedures, mandatory incident reporting, and the use of encryption and multi-factor authentication. DORA, on the other hand, aimed primarily at the financial sector, imposes detailed requirements for data backup, testing of recovery procedures and management of risks associated with ICT service providers.

    In this context, organisations must not only comply with GDPR rules on data minimisation and specific retention periods, but also ensure that their ICT systems are resilient to cyber attacks, enable rapid data recovery and ensure full transparency in information processing. Contemporary trends, such as the automation of data lifecycle management, the use of artificial intelligence for the detection and classification of personal data, and the implementation of Zero Trust architecture, offer new opportunities but also bring challenges related to system integration, data management in multi-cloud environments, and ensuring compliance with multiple overlapping regulations.

    Below, we present five key trends and five major challenges facing organisations managing personal data retention in the context of NIS2 and DORA requirements.

    Five key trends

    1. Automation of personal data lifecycle management

    Automation of data retention processes is becoming standard in modern organisations that need to manage vast amounts of personal data while complying with increasingly complex regulatory requirements. Automated data lifecycle management tools optimise the identification, classification and deletion of data in accordance with established retention policies.

    IT systems enable the automatic transfer of older data to “cheaper” storage layers, the elimination of unnecessary information, and the assurance that personal data is deleted after the retention period required by law or legitimate business purposes. In the context of NIS2, which requires the implementation of ICT risk management policies and ICT network and system security, automation of retention allows organisations to consistently apply information security principles across their entire infrastructure, including all IT systems.

    2. AI-supported detection and classification of personal data

    The use of artificial intelligence for the automatic detection and classification of personal data is revolutionising the way organisations identify sensitive information in their ICT systems. Machine learning-based tools can scan both structured and unstructured data, recognise patterns, and detect personal data that may have been overlooked by traditional identification methods.

    Algorithms can achieve 95% accuracy in classifying personal data, which significantly outperforms manual methods and reduces the risk of human error. These systems use sentiment analysis and anomaly detection to comprehensively map the locations of personal data across the organisation. In the context of NIS2, which requires thorough knowledge of information resources and the implementation of data security policies, effective data detection is the foundation of retention management.

    3. Implementation of Zero Trust architecture in data management

    Zero Trust architecture, based on the principle of “never trust, always verify,” is becoming a key trend in securing access to personal data and managing its retention. The Zero Trust model requires continuous verification of the identity of all users, devices and systems at every interaction with data, the application of the principle of least privilege, and network micro-segmentation to limit the potential scope of attacks.

    In the context of data retention management, it ensures that only authorised systems and users can initiate data deletion or archiving processes, which is particularly important in light of NIS2 requirements for access control and asset management. Additionally, Zero Trust includes end-to-end data encryption during both transmission and storage, which is required by both NIS2 and DORA.

    4. Immutable backups as protection against ransomware

    Immutable backups are becoming the industry standard in protection against increasingly sophisticated ransomware attacks that deliberately attempt to destroy backups before encrypting production data. WORM (Write Once, Read Many) technology ensures that once a backup is created, it cannot be modified, deleted or encrypted for a specified retention period – even by administrators with full privileges.

    Immutable backups are particularly important in the context of DORA requirements, which require financial institutions to configure backup systems capable of surviving cyber incidents and to regularly test data recovery procedures. NIS2 also requires ensuring the continuity of ICT systems through appropriate business continuity planning, including up-to-date backups and data recovery strategies for ICT systems.

    5. Privacy enhancing technologies

    Privacy enhancing technologies (PETs) are gaining importance as tools that enable organisations to use data for analytical purposes while maintaining individual privacy. PETs include a range of techniques such as anonymisation, pseudonymisation, differential privacy, federated learning, homomorphic encryption and synthetic data, which allow data to be processed without compromising individual privacy.

    In the context of data retention management, PETs offer an alternative to completely deleting data after the retention period has expired. Instead, data can be anonymised or pseudonymised, allowing it to be further used for statistical, research or AI model training purposes, while meeting the GDPR requirements for data minimisation. NIS2 and DORA, by requiring the use of advanced cryptographic measures and data protection, create a favourable environment for the adoption of PETs.

    Five key challenges

    1. Retention management in multi-cloud environments

    Organisations are increasingly using multi-cloud strategies, storing data on different cloud platforms (AWS, Azure, GCP) and with different SaaS providers, which creates enormous challenges for the consistent management of personal data retention. Each cloud provider has its own set of services, APIs, compliance certifications, and security models, making it difficult to implement uniform retention policies across all locations.

    The challenge is particularly relevant in the context of the DORA regulation, which requires financial institutions to keep detailed records of all ICT services and systems provided by external suppliers, including the location of data storage supporting critical operational functions. NIS2 also imposes an obligation to manage supply chain security and cooperate with suppliers in assessing risks and implementing appropriate procedures to protect against cyber attacks.

    2. Ensuring backups comply with retention policies

    One of the most difficult challenges in data retention management is ensuring that personal data is actually deleted from backups as well, and not just from production systems. The problem is particularly complex when an organisation restores a backup after a system failure. Data that has already been retained and deleted from the production system may be restored from an older backup.

    DORA imposes detailed requirements for data backup and recovery, including specifying the scope of data covered by the backup, the frequency of backups, and the RTO and RPO for each function. However, meeting these requirements and the GDPR rules on retention simultaneously requires advanced planning and automation. As the Ministry of Digital Affairs pointed out in its guide for the FINTECH sector, not deleting data from backups may be justified for technical reasons, but organisations must demonstrate that the costs and effort of selective deletion are disproportionate to the risk.

    3. Shadow IT and discovering unknown data repositories

    Shadow IT, i.e. unauthorised (illegal) tools, applications and cloud services used by employees without the knowledge of the IT department, poses a serious threat to the effective management of personal data retention . Personal data can be copied to personal accounts on OneDrive, Google Drive, Dropbox or stored in unapproved SaaS applications, completely bypassing corporate retention and security policies.

    The problem is particularly relevant in the context of the NIS2 Directive, which requires a thorough inventory of all IT resources and the implementation of asset management measures. DORA also imposes an obligation to keep a detailed record of all ICT services, including contracts with suppliers and data storage locations. Shadow IT creates “invisible” repositories of personal data that are not covered by standard retention processes, exposing the organisation to GDPR violations and the inability to fully comply with data access requests (DSAR) or the right to be forgotten.

    4. Data minimisation versus business and regulatory needs

    The principle of data minimisation, which is the foundation of the GDPR and requires the collection of only data necessary for specific purposes, often conflicts with the business needs of organisations that want to collect as much data as possible for analysis, personalisation of services or development of AI-based products. At the same time, many regulatory provisions (e.g., tax regulations, labour law, sectoral requirements) impose an obligation to store certain categories of data for long periods, which may be contrary to the principle of minimisation.

    In the context of NIS2 and DORA, organisations must also retain certain data relating to security incidents, system logs and ICT risk management documentation for the periods specified in the regulations. The challenge is to find a balance between different, sometimes conflicting requirements and to design systems that are flexible enough to handle different retention periods for different categories of data and processing purposes, even when the same personal data is processed in multiple contexts simultaneously.

    5. Migrating legacy systems while maintaining compliance

    Many organisations still base their operations on outdated legacy ICT systems that were not designed with modern requirements for personal data protection, automatic retention or advanced security measures required by NIS2 and DORA in mind. Migrating data from these systems to a modern cloud infrastructure while maintaining compliance with GDPR, NIS2 and DORA is one of the most complex technical and organisational challenges.

    Legacy systems often store personal data in unstructured formats, without proper tagging or classification, making it difficult to identify data subject to retention. In addition, older systems may not offer native encryption, access control or audit functions required by NIS2 and DORA. The migration process must ensure that no personal data is lost, compromised or accidentally disclosed, and that all retention periods are correctly transferred to the new system.

    Summary

    Managing personal data retention in ICT systems in the context of NIS2 and DORA requirements requires organisations to take a strategic approach combining advanced technologies, clear and practical policies, and continuous compliance monitoring. Trends such as automation, AI-powered data discovery, Zero Trust, immutable backups and PETs offer powerful tools to meet these challenges, while issues related to multi-cloud, shadow IT, data minimisation and data migration from legacy systems require thoughtful planning and collaboration between IT, compliance and business departments.​

    The key to success is to treat retention management not as an isolated regulatory requirement, but as an integral part of an organisation’s cybersecurity and operational resilience strategy. Tools such as Oblivio, Nocturno, Revelio and Detecto offered by Wizards provide comprehensive support for the automation of retention, anonymisation, monitoring and detection of personal data, helping organisations meet GDPR, NIS2 and DORA requirements in a consistent and effective manner.