Wizards | Current trends and challenges in managing personal data retention in information and communication technology (ICT) systems in the context of NIS2 and DORA requirements

Personal data retention management in ICT systems faces unprecedented challenges resulting from increasingly restrictive regulatory requirements in the field of cybersecurity and personal data protection. The NIS2 Directive and the DORA Regulation introduce new standards for information security and digital operational resilience that directly affect how organisations must manage the information lifecycle, including personal data in particular.

NIS2 focuses on the security and continuity of IT systems, requiring key and important entities to implement advanced ICT risk management procedures, mandatory incident reporting, and the use of encryption and multi-factor authentication. DORA, on the other hand, aimed primarily at the financial sector, imposes detailed requirements for data backup, testing of recovery procedures and management of risks associated with ICT service providers.

In this context, organisations must not only comply with GDPR rules on data minimisation and specific retention periods, but also ensure that their ICT systems are resilient to cyber attacks, enable rapid data recovery and ensure full transparency in information processing. Contemporary trends, such as the automation of data lifecycle management, the use of artificial intelligence for the detection and classification of personal data, and the implementation of Zero Trust architecture, offer new opportunities but also bring challenges related to system integration, data management in multi-cloud environments, and ensuring compliance with multiple overlapping regulations.

Below, we present five key trends and five major challenges facing organisations managing personal data retention in the context of NIS2 and DORA requirements.

Five key trends

1. Automation of personal data lifecycle management

Automation of data retention processes is becoming standard in modern organisations that need to manage vast amounts of personal data while complying with increasingly complex regulatory requirements. Automated data lifecycle management tools optimise the identification, classification and deletion of data in accordance with established retention policies.

IT systems enable the automatic transfer of older data to “cheaper” storage layers, the elimination of unnecessary information, and the assurance that personal data is deleted after the retention period required by law or legitimate business purposes. In the context of NIS2, which requires the implementation of ICT risk management policies and ICT network and system security, automation of retention allows organisations to consistently apply information security principles across their entire infrastructure, including all IT systems.

2. AI-supported detection and classification of personal data

The use of artificial intelligence for the automatic detection and classification of personal data is revolutionising the way organisations identify sensitive information in their ICT systems. Machine learning-based tools can scan both structured and unstructured data, recognise patterns, and detect personal data that may have been overlooked by traditional identification methods.

Algorithms can achieve 95% accuracy in classifying personal data, which significantly outperforms manual methods and reduces the risk of human error. These systems use sentiment analysis and anomaly detection to comprehensively map the locations of personal data across the organisation. In the context of NIS2, which requires thorough knowledge of information resources and the implementation of data security policies, effective data detection is the foundation of retention management.

3. Implementation of Zero Trust architecture in data management

Zero Trust architecture, based on the principle of “never trust, always verify,” is becoming a key trend in securing access to personal data and managing its retention. The Zero Trust model requires continuous verification of the identity of all users, devices and systems at every interaction with data, the application of the principle of least privilege, and network micro-segmentation to limit the potential scope of attacks.

In the context of data retention management, it ensures that only authorised systems and users can initiate data deletion or archiving processes, which is particularly important in light of NIS2 requirements for access control and asset management. Additionally, Zero Trust includes end-to-end data encryption during both transmission and storage, which is required by both NIS2 and DORA.

4. Immutable backups as protection against ransomware

Immutable backups are becoming the industry standard in protection against increasingly sophisticated ransomware attacks that deliberately attempt to destroy backups before encrypting production data. WORM (Write Once, Read Many) technology ensures that once a backup is created, it cannot be modified, deleted or encrypted for a specified retention period – even by administrators with full privileges.

Immutable backups are particularly important in the context of DORA requirements, which require financial institutions to configure backup systems capable of surviving cyber incidents and to regularly test data recovery procedures. NIS2 also requires ensuring the continuity of ICT systems through appropriate business continuity planning, including up-to-date backups and data recovery strategies for ICT systems.

5. Privacy enhancing technologies

Privacy enhancing technologies (PETs) are gaining importance as tools that enable organisations to use data for analytical purposes while maintaining individual privacy. PETs include a range of techniques such as anonymisation, pseudonymisation, differential privacy, federated learning, homomorphic encryption and synthetic data, which allow data to be processed without compromising individual privacy.

In the context of data retention management, PETs offer an alternative to completely deleting data after the retention period has expired. Instead, data can be anonymised or pseudonymised, allowing it to be further used for statistical, research or AI model training purposes, while meeting the GDPR requirements for data minimisation. NIS2 and DORA, by requiring the use of advanced cryptographic measures and data protection, create a favourable environment for the adoption of PETs.

Five key challenges

1. Retention management in multi-cloud environments

Organisations are increasingly using multi-cloud strategies, storing data on different cloud platforms (AWS, Azure, GCP) and with different SaaS providers, which creates enormous challenges for the consistent management of personal data retention. Each cloud provider has its own set of services, APIs, compliance certifications, and security models, making it difficult to implement uniform retention policies across all locations.

The challenge is particularly relevant in the context of the DORA regulation, which requires financial institutions to keep detailed records of all ICT services and systems provided by external suppliers, including the location of data storage supporting critical operational functions. NIS2 also imposes an obligation to manage supply chain security and cooperate with suppliers in assessing risks and implementing appropriate procedures to protect against cyber attacks.

2. Ensuring backups comply with retention policies

One of the most difficult challenges in data retention management is ensuring that personal data is actually deleted from backups as well, and not just from production systems. The problem is particularly complex when an organisation restores a backup after a system failure. Data that has already been retained and deleted from the production system may be restored from an older backup.

DORA imposes detailed requirements for data backup and recovery, including specifying the scope of data covered by the backup, the frequency of backups, and the RTO and RPO for each function. However, meeting these requirements and the GDPR rules on retention simultaneously requires advanced planning and automation. As the Ministry of Digital Affairs pointed out in its guide for the FINTECH sector, not deleting data from backups may be justified for technical reasons, but organisations must demonstrate that the costs and effort of selective deletion are disproportionate to the risk.

3. Shadow IT and discovering unknown data repositories

Shadow IT, i.e. unauthorised (illegal) tools, applications and cloud services used by employees without the knowledge of the IT department, poses a serious threat to the effective management of personal data retention . Personal data can be copied to personal accounts on OneDrive, Google Drive, Dropbox or stored in unapproved SaaS applications, completely bypassing corporate retention and security policies.

The problem is particularly relevant in the context of the NIS2 Directive, which requires a thorough inventory of all IT resources and the implementation of asset management measures. DORA also imposes an obligation to keep a detailed record of all ICT services, including contracts with suppliers and data storage locations. Shadow IT creates “invisible” repositories of personal data that are not covered by standard retention processes, exposing the organisation to GDPR violations and the inability to fully comply with data access requests (DSAR) or the right to be forgotten.

4. Data minimisation versus business and regulatory needs

The principle of data minimisation, which is the foundation of the GDPR and requires the collection of only data necessary for specific purposes, often conflicts with the business needs of organisations that want to collect as much data as possible for analysis, personalisation of services or development of AI-based products. At the same time, many regulatory provisions (e.g., tax regulations, labour law, sectoral requirements) impose an obligation to store certain categories of data for long periods, which may be contrary to the principle of minimisation.

In the context of NIS2 and DORA, organisations must also retain certain data relating to security incidents, system logs and ICT risk management documentation for the periods specified in the regulations. The challenge is to find a balance between different, sometimes conflicting requirements and to design systems that are flexible enough to handle different retention periods for different categories of data and processing purposes, even when the same personal data is processed in multiple contexts simultaneously.

5. Migrating legacy systems while maintaining compliance

Many organisations still base their operations on outdated legacy ICT systems that were not designed with modern requirements for personal data protection, automatic retention or advanced security measures required by NIS2 and DORA in mind. Migrating data from these systems to a modern cloud infrastructure while maintaining compliance with GDPR, NIS2 and DORA is one of the most complex technical and organisational challenges.

Legacy systems often store personal data in unstructured formats, without proper tagging or classification, making it difficult to identify data subject to retention. In addition, older systems may not offer native encryption, access control or audit functions required by NIS2 and DORA. The migration process must ensure that no personal data is lost, compromised or accidentally disclosed, and that all retention periods are correctly transferred to the new system.

Summary

Managing personal data retention in ICT systems in the context of NIS2 and DORA requirements requires organisations to take a strategic approach combining advanced technologies, clear and practical policies, and continuous compliance monitoring. Trends such as automation, AI-powered data discovery, Zero Trust, immutable backups and PETs offer powerful tools to meet these challenges, while issues related to multi-cloud, shadow IT, data minimisation and data migration from legacy systems require thoughtful planning and collaboration between IT, compliance and business departments.

The key to success is to treat retention management not as an isolated regulatory requirement, but as an integral part of an organisation’s cybersecurity and operational resilience strategy. Tools such as Oblivio, Nocturno, Revelio and Detecto offered by Wizards provide comprehensive support for the automation of retention, anonymisation, monitoring and detection of personal data, helping organisations meet GDPR, NIS2 and DORA requirements in a consistent and effective manner.

In early August 2025 the EU introduced its first voluntary Code of Conduct for general-purpose AI (often dubbed the “AI Pact” or “AI Code of Practice”), intended as a bridge until the formal AI Act takes full effect. According to the European Commission, this code is a voluntary set of principles for AI developers – especially makers of advanced models like ChatGPT or image generators – designed to ensure that AI is developed “in a safe, responsible way and in line with European values”. In practice, the Code lays out guidelines on transparency, copyright and safety to help companies prepare for the new AI Act. (The AI Act itself – the EU’s binding AI law – will impose formal rules and fines for high-risk AI, with key provisions for general-purpose AI coming into force in August 2025.)

Key Provisions of the AI Code

The voluntary AI Code focuses on three main areas – transparency, copyright respect and safety – with concrete commitments for model developers. Its requirements include:

Transparency and documentation: Companies must fully document the data and design choices used to train and build their AI models, and even report metrics like energy consumption during training and operation.
Copyright compliance: Developers are forbidden from training AI on illegally obtained or pirated content. They must respect copyright restrictions (for example, honoring paywalls and robots.txt) so that copyrighted works are not used without permission.
Safety measures and incident reporting: Firms must establish processes to address cases where an AI system produces harmful or infringing content. In particular, major incident reports (such as security or bias issues) must be passed on promptly to the new EU AI regulator – within about 5–10 days of discovery. Regular independent audits by external experts are also encouraged to verify model safety and compliance.
Identification of AI-generated content: The Code calls for mechanisms that help users recognize AI-generated text, images or video. For example, outputs could carry digital watermarks or clear labels indicating they were produced or significantly altered by AI.. This “traceability” measure aims to fight disinformation by making automated content transparent to the public.

Each signatory pledges to adopt these practices even though the Code itself has no legal force. In effect, it serves as a preparatory framework so that when the AI Act’s rules apply, companies will already have internal compliance mechanisms in place.

Industry Response and Signatories

Reactions to the Code have been mixed. On one hand, dozens of prominent tech firms have signed on. As Spider’s Web reports, about 26 companies – including U.S. giants like Google, Microsoft, Amazon and IBM – committed to the Code’s three pillars (transparency, copyright and security). AI-specialists such as OpenAI and Anthropic (backed by Amazon) also joined, as well as European startups like Mistral AI and Aleph Alpha, signaling that EU and U.S. players alike are participating.. By signing, these organizations agree to be more transparent about their models, use only legally obtained training data, and conduct robust safety testing. EU officials note that firms who sign gain an “administrative advantage” – the Commission will monitor them as cooperative partners rather than launching enforcement actions – which in practice can mean more legal certainty and faster market access for new AI features.

On the other hand, some of the biggest tech players have balked. Meta’s leadership publicly refused to sign: its global policy chief Joel Kaplan called the EU’s approach “impractical and infeasible,” arguing that the Code creates legal uncertainties by going beyond even the scope of the AI Act.. Google representatives have expressed similar concerns, characterizing the Code as a “step in the wrong direction” for Europe’s competitiveness.. Apple has delayed its own European AI rollout over separate market issues (Digital Markets Act concerns), and Elon Musk’s xAI (maker of the Grok model) signed only the safety chapter of the Code, rejecting the transparency and IP commitments. Industry lobby groups like the CCIA (whose members include Google and Meta) have also openly criticized the voluntary guidelines.

This split is being watched closely. Some commentators call it a “moment of truth” for the tech industry: signing the Code signals a willingness to play by EU rules, while refusal could invite stricter scrutiny. In fact, media analyses note that even though the Code is non-binding, not signing it may incur consequences – regulators have hinted that companies who opt out might face more rigorous oversight and enforcement under the forthcoming AI Act. Thus far, major American AI firms like OpenAI have indicated they will comply with the Code, while Chinese AI companies (e.g. Huawei) have largely been absent from the list of signatories.

Implications for EU AI Law and Policy

The EU’s new AI Code functions as an early test of how EU law can influence AI development. As Press.pl observes, it is explicitly a “voluntary initiative” adopted in 2023 as part of the broader EU AI strategy, meant to set de facto standards until the AI Act is fully enforced. In practice, the Code’s guidelines mirror key elements of the AI Act: transparency about model data, strict conditions on training data, and obligations to ensure safety. By aligning industry practices ahead of time, the Commission hopes to smooth the transition to the binding AI Act regime.

Crucially, the Code’s approach reflects a phased regulatory philosophy. The formal AI Act (a landmark EU regulation passed in 2021) will impose mandatory rules and hefty fines (up to 6% of global revenue) for high-risk AI uses starting in 2026, with general-purpose AI covered from August 2025.. The Code, entering in August 2025, is essentially a run-up to that moment. Business Insider emphasizes that the Code “will help companies comply with the groundbreaking AI Act,” especially on issues like author rights and transparency.. In fact, general-use AI models (ChatGPT-style systems) already fell under new EU requirements as of August 2025.. The voluntary Code was intended to give firms a head-start: it helps them build compliance processes for the AI Act’s eventual obligations.

Summary

In summary, while the Code has no teeth on its own, it acts as a test of EU regulatory influence. If companies largely adopt its measures, it could validate the EU’s collaborative strategy. If resistance prevails, it could signal tensions ahead – as one trade publication puts it, it’s the moment when companies must “play by European rules or risk confrontation with regulators”.. The Commission has framed this as necessary for EU values: ensuring that generative AI is transparent, respects copyright, and keeps society safe during this transitional period.

With the DORA regulation coming into force in January 2025, financial institutions must carefully review their relationships with ICT providers. Until now, many banks have struggled to enforce audit rights, even when such clauses were formally included. DORA requires full, unrestricted rights of access, control and audit, as well as cooperation between the provider and the regulator. Below, we outline the obligations, challenges, model contract clauses, and alternative supervision methods in line with the regulation.

Audit as a Regulatory Obligation – What Does DORA Say?

DORA introduces harmonised requirements for ICT risk management and supplier oversight across the EU. Each ICT agreement must include the right to unlimited control, exercised by the institution or an appointed third party. This includes access to documentation, systems, on-site visits, and the right to copy necessary data. The provider must also fully cooperate with the competent supervisory authority.

Challenges with Global Providers (AWS, Azure, Google)

Hyperscalers use standard terms, making negotiation of detailed audit clauses difficult. Smaller institutions have limited bargaining power and often receive only SOC reports or certificates.
DORA introduces a Lead Overseer, who may supervise critical ICT providers directly at the EU level. However, institutions must still actively enforce agreed provisions and monitor associated risks.

Contractual Clauses: Examples and Best Practices

An outsourcing agreement should include the full scope of services, locations, SLAs, security measures, and a contingency plan. A key clause grants the institution the right to perform remote and on-site audits, either periodically or ad hoc. The regulator must have the same rights of access and control at the provider. The contract should limit sub-outsourcing or require institutional consent for key subcontractors. It is important to specify data locations and the procedure for jurisdictional changes.
The contract must include incident response support, response time definitions, and security standards (e.g. ISO 27001). Termination clauses should cover serious breaches, weak ICT risk governance, or obstructed oversight.

Alternatives: Third-Party Assurance, ISO Certificates, SOC Reports

Institutions may rely on joint audits or independent auditor reports, sharing both costs and outcomes. ISO 27001 certificates or SOC 2 reports offer a basic level of oversight for less critical services.
The institution should verify the validity of such attestations annually and request details on any non-conformities. For high-risk services, a certificate cannot replace a full on-site audit.

Cooperation with Regulators in Disputed Situations

The regulator may organise a tripartite meeting, often motivating the provider to cooperate. The institution should document requests, audits, and corrective actions, keeping the regulator informed of progress. If a non-EU provider refuses to share data, the regulator may invoke international cooperation mechanisms.

Summary

DORA requires enhanced oversight of ICT providers and the update of critical outsourcing agreements. Success depends on clear clauses, their daily enforcement, and proactive collaboration with regulators.
Strategies based on certifications and external audits may reduce costs but do not replace risk accountability. The new rules provide institutions with stronger tools to maintain operational resilience.

The new EU Delegated Regulation (EU) 2025/532 introduces detailed requirements for outsourcing ICT services supporting critical or important functions. It complements the DORA regulation and imposes strict oversight duties on financial institutions. Managers in banks and insurers must monitor not only main IT providers but also their subcontractors. ICT providers working with the financial sector must prepare for new contractual duties, audits, and transparency rules.

Outsourcing ICT is like a system of gears – failure of one part can stop everything. Managers must fully understand how this mechanism works in their organization.

DORA and New ICT Subcontractor Standards

On January 17, 2025, the DORA regulation took effect. It aims to strengthen the digital resilience of the financial sector. DORA requires institutions to manage ICT risk, report incidents, and oversee IT vendors. The EU now introduces executive acts to clarify DORA obligations. The Delegated Regulation (EU) 2025/532 is one of them. It defines technical standards for cases where a vendor uses subcontractors to deliver services to financial institutions.

Managing ICT outsourcing risk from the ground up

A financial firm must understand the risk in the full ICT supply chain. Regulation 2025/532 requires that before signing an outsourcing contract, institutions must decide if subcontracting is allowed – and under what conditions. Article 3(1) says: “Before entering into contractual arrangements with an external ICT provider, the financial entity shall decide whether that provider may subcontract the ICT service […] only if all the following conditions are met.”

In short: Before allowing subcontractors, institutions must assess risk and ensure all safety criteria are fulfilled.

What factors should be considered? Article 1 says the institution must evaluate its own risk profile, operational scale, and key factors affecting outsourcing risk, such as:

The type of ICT services being subcontracted – whether critical infrastructure or simple support tasks.
The criticality of the service: the more vital, the more caution needed.

Rights of access and audit

The institution must retain the right to audit all levels of the subcontracting chain. Article 5 says contracts must include full access and inspection rights. This includes on-site audits, even at subcontractor locations. ICT providers must not block access. The institution must be able to monitor performance, compliance, and incident handling. If access is denied, the provider may breach DORA compliance.

Termination rights and risk mitigation

If a subcontractor creates unacceptable risk, the contract must allow termination. Article 6 emphasizes the need for clear exit strategies. Financial institutions must define steps to end cooperation if security or compliance is compromised. Backup plans must be in place to avoid disruptions. Institutions must ensure the continuity of services in case of sudden termination.

Applying the regulation in practice

These obligations are not optional. Regulation 2025/532 applies to all financial firms using external ICT. CEOs, compliance leads, and IT managers must align outsourcing contracts with the law. Providers outside the EU – such as cloud hyperscalers – must also comply. Institutions must renegotiate terms where necessary. Practical steps include: reviewing all ICT contracts, mapping subcontractors, introducing audit clauses, and preparing for inspections.

Summary for decision-makers

Regulation 2025/532 strengthens the DORA framework. It ensures that even hidden layers in ICT outsourcing are secure and under control. Decision-makers must focus on clarity in contracts, transparency in subcontracting, and strong audit rights. Compliance is not just legal duty – it’s essential for resilience. The entire ICT supply chain must support security, continuity, and regulatory oversight.

ICT Outsourcing and New Obligations under DORA

ICT outsourcing that supports critical or important operational functions is now one of the most complex and sensitive areas of compliance under the DORA regulation. Although the financial sector has relied on external IT providers for years. It must now effectively oversee not only the primary service provider but also the entire network of subcontractors. Including infrastructure vendors, integrators, fintech firms, or non-EU hyperscalers.

Key Challenges According to Compliance Departments

Compliance experts point to several recurring challenges. One of them is the lack of transparency and visibility between subsequent parties in the supply chain. The complex structure of relationships between ICT providers often limits effective oversight of all process participants.

Many financial institutions are forced to renegotiate existing contracts with providers to incorporate new regulatory requirements. However, they often face limited openness from partners – especially global cloud providers who hold a strong negotiating position, making agreement difficult.

Another issue is the checklist-based approach to due diligence, where responses are superficial and not backed by real risk analysis. In such cases, there is a risk of apparent compliance without real control over service quality and security.

Organizations must also build early warning systems that enable rapid assessment of changes in the subcontracting chain. Their impact on business continuity and overall risk profile. In capital groups operating across multiple markets, an additional challenge arises from inconsistent subcontracting policies, especially outside the EU.

RTS 2025/532: Specific Requirements for Financial Institutions

In response to these challenges, the European Commission published Delegated Regulation 2025/532. Defining Regulatory Technical Standards (RTS) on ICT outsourcing and subcontractor management. Article 5(1) states:

“Financial entities shall implement operational risk management frameworks covering the entire chain of ICT subcontractors, regardless of their location and level of dependency.”

The regulation emphasizes that a financial institution cannot transfer compliance responsibility – even when ICT services are further subcontracted. Before signing a new agreement (or amending an existing one), a thorough due diligence must be conducted, assessing each subcontractor’s technical, financial, and security capabilities.

Institutions must also maintain a comprehensive register of all supply chain entities, monitor their activities, and evaluate associated risk levels, considering geographical reach and the complexity of relationships. Importantly, under Article 6(3):

“Financial entities shall include in outsourcing contracts provisions related to audit rights, reporting requirements, and conditions for termination in case of risk levels exceeding acceptable thresholds.”

This requires contracts to include specific clauses on permissible subcontracting, change notifications, objection rights, and the ability to terminate the contract.

For parent entities operating within capital groups, it is crucial to ensure consistent ICT outsourcing policies across the organization – including beyond the EU. This involves unifying collaboration principles with providers, implementing common procedures. Conducting internal training and audits to ensure compliance with DORA.

What Should Compliance Managers Do?

Compliance teams must act swiftly and decisively. Reviewing current outsourcing policies should be paired with mapping the entire supply chain, identifying key risk areas, and updating contract terms accordingly.

Special attention should be given to non-EU providers, entities with strong negotiating leverage, and cloud infrastructure operators. Well-prepared institutions will not only ensure DORA compliance but also strengthen operational resilience, reduce systemic risk. And improve collaboration quality with external service providers.

In an era of growing digitalization and globalization. Effective ICT outsourcing management becomes one of the key pillars of financial sector security.

Wizards’ Support in ICT Outsourcing Management

The Wizards team supports organizations in assessing ICT outsourcing risks, preparing RTS-compliant contracts, and creating monitoring and reporting mechanisms. If you need practical assistance – get in touch.

In an era of strict GDPR regulations and growing cybersecurity threats, Polish companies must build resilient organizations. The key lies in a comprehensive approach to data protection and IT processes. Wizards offers four integrated tools – Oblivio, Nocturno, Revelio, and Detecto – that work together in one ecosystem. This allows management to centrally handle data retention, anonymization, and sensitive information detection across the infrastructure. These tools are essential for legal compliance and for avoiding severe penalties.

Oblivio

Oblivio is a solution for personal data retention and enterprise data management. It allows organizations to define storage rules (e.g., based on contract validity) and automatically delete or anonymize information once the legal basis for processing expires. For example, when a client contract ends or an employee leaves the company. Oblivio detects the loss of legal grounds and, after supervisor approval, initiates anonymization across linked systems (e.g., CRM and marketing tools), maintaining data consistency.

Without such a system, outdated data may remain processed unlawfully. In practice, companies might still collect and share data for which they no longer have consent. This violates Article 17 GDPR (right to erasure) and Article 5 GDPR (data minimization). Under Article 83 GDPR, such violations may result in fines of up to EUR 20 million or 4% of the company’s global turnover.

Nocturno

Nocturno is an anonymization engine that uses extensive dictionaries and generators to retain the structure of production-like data. It enables organizations to process large datasets across many systems while ensuring consistency post-anonymization. For instance, an IT firm uses Nocturno to replace real names, national IDs, or tax numbers with synthetic equivalents in test environments.

Without anonymization tools, unencrypted personal data might leak during development or testing. This breaches Article 32 GDPR (security of processing) and Article 5 GDPR (lawfulness and integrity). Polish labor law also obligates employees to protect company interests and confidential information (Art. 100 §2 pt. 4 of the Labour Code). Violations may lead to disciplinary penalties or even civil liability.

Revelio

Revelio helps discover sensitive or personal data in shared files (e.g., emails, desktop folders, cloud drives). It identifies documents and business processes that generate confidential files and suggests digitalization. For instance, Revelio can scan network drives to find outdated spreadsheets with customer data, allowing the company to proactively manage document risk.

Without regular scanning, files may remain unprotected and unknown to IT teams. This breaches Article 5.1(a) GDPR (lawful and transparent processing) and Article 32 GDPR, as well as internal security policies. Labor Code Art. 100 §2 pt. 4 obliges employees to safeguard company information. Failure may lead to fines, disciplinary actions, or administrative penalties. The Polish DPA may impose fines of several million euros under Article 83.

Detecto

Detecto scans databases to find personal or sensitive data (e.g., national IDs, financial data). It monitors changes in database structures to identify areas requiring anonymization or retention. For example, an IT department can use Detecto before launching a new CRM to locate legacy data and take appropriate measures.

Without data mapping, companies lack visibility into sensitive data exposure. This can lead to leaks during migrations and violates Article 32 GDPR. (failure to implement adequate safeguards) and obligations under Poland’s Cybersecurity Act. Sanctions can reach EUR 10 million or 2% of global turnover, and in severe cases, up to EUR 20 million or 4% of turnover. The President of UKE may also impose fines up to 10% of turnover for failing to report major ICT incidents.

Conclusion

Deploying Oblivio, Nocturno, Revelio, and Detecto builds legal compliance and operational resilience. These four tools form a cohesive defense against data breaches and penalties. Contact Wizards today to ensure your organization stays protected and regulation-ready.

Digital Operational Resilience Act (DORA) is a new EU regulation focused on strengthening the digital operational resilience of financial institutions. It aims to ensure operational stability against cyber threats through effective ICT risk management, mandatory incident reporting, and regular system testing. So how to implement DORA in an insurance company?

DORA will apply from January 17, 2025, following a two-year transition period that began in January 2023. Insurance companies – like banks, investment firms, and other financial institutions – must adapt quickly. Only then can they remain compliant and ensure business continuity.

What is DORA and who is affected?

The Digital Operational Resilience Act (DORA) is an initiative of the European Union to improve cybersecurity and digital resilience in the financial sector.

It introduces common rules requiring institutions to manage ICT incidents. They should be able to prevent, respond to, and quickly recover from disruptions.

DORA applies to 20 categories of entities, including insurance companies, insurance brokers, banks, fintechs, VC funds, and payment service providers. Importantly, it also covers ICT service providers, such as cloud or IT outsourcing companies. If classified as critical providers, they may be subject to direct supervision.

Why was DORA introduced?

DORA addresses the rising number of cyberattacks and the increasing dependency of financial services – especially insurance – on technology.

A cyberattack happens every 39 seconds globally. The financial damage caused by cybercrime reaches €5 trillion annually. Disruptions like ransomware, data center outages, or human error can paralyze core services and affect entire markets.

DORA aims to prevent this. Insurance companies must have contingency plans, strong safeguards, and incident response procedures. As a result, both financial stability and customer trust are strengthened.

Key DORA requirements for insurance companies

DORA imposes a set of obligations aimed at improving digital resilience. Here are the most important areas:

Insurance companies must implement a comprehensive ICT risk management system, integrated into the overall enterprise risk framework. This includes security policies and procedures, clearly defined roles and responsibilities (involving top management), regular risk assessments, and mitigation plans. Senior executives must be directly engaged and regularly approve the strategy, allocate resources, and build a culture of cybersecurity awareness.

Insurance companies are required to classify, manage, and report ICT incidents. Major events – such as data breaches, ransomware attacks, or system failures – must be reported to the national authority (in Poland, this is the KNF). A preliminary report is due within 24 hours, followed by updates and a final report. Internal tools must ensure rapid alerts to both leadership and the regulator. For example: if ransomware encrypts data and disrupts services, the company must notify the KNF within one day and take corrective actions.

And..

DORA requires cyclical security and resilience testing. Insurers must conduct penetration tests, vulnerability scans, simulation exercises, and business continuity tests. Larger organizations must also undergo TLPT (Threat-Led Penetration Testing) by independent experts every three years. Test results should be documented and used to improve security procedures.

If an insurer uses external ICT providers (e.g. cloud services, data center outsourcing), it must manage these risks proactively. DORA requires contract registers, due diligence, and regular risk assessments of each critical provider. Contracts must include clauses on security, incident reporting, continuity, testing, and audit rights. Companies must also have exit strategies in place for critical services. Large providers may be classified as Critical Third-Party Providers (CTPP) and subject to EU-level supervision – in such cases, insurers must provide additional documentation to regulators.

DORA mandates Business Continuity Plans (BCP) and Disaster Recovery (DR) plans. These plans should address possible scenarios such as long-term system failures or large-scale data breaches. Companies must test and update these plans regularly to ensure fast service recovery.

While not mandatory, DORA encourages institutions to share information on cyber threats. Participating in networks like ISACs can help insurers react faster and learn from others. If they do, they must inform regulators and ensure confidentiality in data exchange.

how to implement DORA in an insurance company

Non-compliance with DORA: what are the risks?

Failing to comply with DORA can lead to serious legal and financial consequences. Regulators have strong tools to enforce compliance:

Fines: Up to €10 million or 2% of global turnover for standard violations. For the most severe breaches: up to €20 million or 4% of turnover.
Executive liability: Fines up to €1 million can be imposed on board members or senior managers. In extreme cases, they can be banned from holding leadership roles in the sector.
Supervisory actions: Authorities may issue binding orders or suspend operations until compliance is restored. They can also block cooperation with high-risk ICT providers.
Public disclosure: Names of non-compliant companies are made public, leading to reputational damage, customer loss, and media scrutiny.

Strengthen your digital resilience today

For insurers, DORA is both a challenge and an opportunity. Yes, it requires investment in security, policies, and training. But it also delivers stronger operational resilience – an invaluable asset in a world of growing cyber threats.

Management should see DORA not just as a legal obligation, but as a chance to modernize IT governance and improve risk oversight. Proactive insurers will gain a competitive edge.

how to implement DORA in an insurance company? If you need guidance on how to implement DORA in your insurance company – contact the Wizards team. Our experts will support you in gap analysis, action planning, and implementation. With Wizards, you’ll meet regulatory requirements faster and gain measurable security benefits.

Let’s work together to build your digital resilience.

Preparing for a GDPR audit can raise concerns—do we know exactly where all personal data is processed? Is every action documented? Do we have up-to-date consents?
To reduce uncertainty, it’s essential to perform a full inventory of data and processing activities. This involves collecting information about all systems, processes, and assets related to personal data within the company. The result is a comprehensive data map—showing what happens, where, and for what purpose—which is crucial for demonstrating compliance with GDPR.

At the same time, organizations should verify formal aspects: the accuracy and completeness of documentation (e.g., policies, data processing agreements), the legal basis for processing, and the validity of obtained consents. Preparing for a personal data audit is not just a checklist exercise—it’s a key step toward full GDPR compliance and improved data security.

Key GDPR Responsibilities to Keep in Mind

Before an audit, it’s worth reviewing the main responsibilities of a data controller. These include:

Identification of personal data – A detailed inventory of all systems, processes, and storage locations where personal data is held. This includes IT systems, databases, documents, and storage media containing employee or customer data. A comprehensive overview is the foundation for proving GDPR compliance.
Data minimization and purpose limitation – According to Article 5 of the GDPR, personal data must be adequate, relevant, and limited to what is necessary for specific purposes. Organizations must collect only the data needed for clearly defined business goals and avoid using it for unrelated purposes.
Data retention – The GDPR requires that data not be kept longer than necessary. The controller must define data retention periods and regularly review stored data. Once the processing purpose is fulfilled, the data should be deleted or anonymized without delay. These periods should also be recorded in the data processing register (Article 30).
Right to be forgotten – Article 17 gives individuals the right to request deletion of their data. The controller must erase the data “without undue delay” when it’s no longer needed or when consent is withdrawn. Organizations must implement procedures to fulfill such requests, including removing data from all systems and notifying third parties if needed.
Accountability and documentation – GDPR introduces the principle of accountability. Data controllers must demonstrate compliance with all data protection principles (lawfulness, fairness, transparency, etc.). This requires proper documentation: a processing register (Article 30), data protection policies, security procedures, incident records, and more. For example, Article 30 requires that categories of data, processing purposes, and planned deletion dates be properly documented. Good records make it easier to demonstrate compliance during audits.

How Wizards Products Support GDPR Compliance

Preparing for a GDPR audit can be faster and more effective with the right tools. Wizards products address key data protection needs:

Detecto – Scans systems and databases for personal data. Detects tables and fields with sensitive content and identifies changes in database structure. This helps with complete data asset inventories and supports anonymization and retention processes by keeping personal data under continuous review.
Revelio – Searches for personal data in dispersed documents. It scans shared folders, employee devices, and email inboxes to locate documents containing sensitive data. This allows organizations to pinpoint where personal data resides—supporting audits and digitization efforts.
Nocturno – An advanced anonymization tool for test and development environments. It uses an extensive set of dictionaries and generators to anonymize data across multiple systems while maintaining consistency and original data formats (e.g., date formats, checksums). It replaces personal data with realistic fictitious values without breaking testing workflows.
Oblivio – A data retention and compliance management system. It acts as an internal platform covering all systems that process personal data. Oblivio monitors retention periods based on predefined rules and detects when the legal basis for processing expires. Once the retention period ends, it automatically launches anonymization workflows and generates audit-ready reports of data retention and deletion.

Checklist: Are You Ready for a GDPR Audit?

Before the audit, verify whether your company meets the key data protection requirements:

Have you inventoried all personal data sets and processing activities in your organization?
Do you maintain an up-to-date record of processing activities (ROPA) in accordance with Article 30?
Are written policies, procedures, and data protection instructions in place and implemented (for processing, security, incident handling, etc.)?
Are the legal bases for data processing (contracts, consents, authorizations, DPO decisions, risk assessments/DPIAs) current and documented?
Have you defined retention periods for various categories of personal data and implemented mechanisms to delete or anonymize data once those periods expire?
Have employees completed mandatory data protection training, and has a Data Protection Officer (DPO) or responsible person been appointed?

Regularly reviewing these points will help structure your audit preparation and reduce the risk of non-compliance.

Ensure GDPR Compliance with Wizards

Preparing for a GDPR audit is not something you should approach blindly. Rely on the expertise of our team and our modern compliance tools.
Book a meeting with the Wizards compliance team to discuss your organization’s needs. During the session, we’ll show how our products—Detecto, Revelio, Nocturno, and Oblivio—can streamline your data inventory, automate retention and anonymization processes, and help you prepare confidently for audits. Ensure full GDPR compliance and peace of mind—contact Wizards today.

Implementing DORA in a financial institution requires full compliance with the principles of digital operational resilience. The DORA regulation (2022/2554) obliges banks and their ICT service providers to continuously manage operational risk and cybersecurity. These requirements include the thorough identification and classification of all ICT assets, such as servers, applications, databases, and documents. Institutions must also document the relationships between these assets.

DORA mandates the implementation of IT incident handling procedures—from detection and analysis to system recovery. Any major cyber event must be reported according to official guidelines. Institutions are also required to regularly test system resilience, for example through penetration testing. Strict enforcement of data retention policies is equally crucial: data cannot be stored longer than legally permitted. Every change to the IT infrastructure must be logged and auditable.

Detecto – Data Identification and Risk Management

Detecto is a tool that automates the detection and classification of sensitive data in a company’s systems and documents. It uses AI technologies (OCR and NLP) to scan corporate resources (files, databases, emails) for personal and sensitive information. This makes it fully aligned with DORA’s requirement to identify all informational assets. Detecto enables organizations to:

Detect all instances of personal data (e.g., national ID numbers, addresses, bank accounts) in documents and databases—reducing weeks of manual work to just a few hours of automated analysis.
Generate reports that locate personal data assets—significantly simplifying internal and external audits (e.g., for DORA or GDPR compliance).
Analyze incidents—if a data breach occurs, Detecto can quickly identify whether sensitive information was involved and what type of data was exposed.

By offering these capabilities, Detecto supports effective information risk management. It automatically builds a catalog of critical data and their storage points, helping institutions assess potential threats. This enables better planning of ICT risk mitigation activities and supports DORA’s requirements for protecting assets from unauthorized access or damage.

Revelio – Detection of Unauthorized Resources and Data

Revelio scans shared file storage, employee computers, and email accounts to identify documents containing sensitive data. It uncovers “hidden” resources—files and folders containing personal data that were not previously included in official systems. Revelio helps institutions to:

Locate all documents with personal data (e.g., national IDs, medical or financial records) stored on company devices—providing visibility and enabling better protection.
Identify business processes that generate sensitive documents—supporting the transition to digital workflows and reducing risks associated with paper-based or uncontrolled data sources.
Support data retention policies—integrating with document deletion (anonymization) procedures once the retention period has expired. The system flags such files for archiving or deletion, helping to meet DORA and GDPR requirements.
Build employee awareness—through oversight and reporting features that delegate data security responsibility across the organization.

Revelio enhances visibility across the data environment and identifies unauthorized information assets. In the DORA context, it ensures no confidential data is “forgotten” within the IT structure. Integrated with Oblivio, it supports full enforcement of data retention policies—once documents with expired legal grounds are detected, Revelio enables their safe removal or anonymization. This ensures compliance with DORA data protection and retention requirements.

Nocturno – Safe Test Environments

Nocturno is a tool for creating secure test environments using anonymized production data. It allows financial institutions to test cyber resilience and business continuity without exposing real customer data. Nocturno uses custom dictionaries and generators to keep the structure of production data. It replaces real values like IDs, tax numbers, or birthdates with fictitious but valid ones. Key features include:

Anonymization across multiple databases while maintaining consistency—Nocturno processes large datasets in parallel and ensures that identical records are anonymized the same way across all systems. This results in realistic test environments (e.g., the same user receives consistent fake data in all databases).
Support for various database types (MySQL, Oracle, SQL Server, etc.) while respecting integrity constraints—Nocturno maintains checksums and table relations to avoid system failures.
Integration with Detecto—first identifying sensitive fields, then automatically anonymizing them according to business rules.

These features minimize the risk of using real personal data during testing or system migrations. DORA requires resilience testing to occur in secure environments while maintaining data confidentiality. Nocturno enables this by supporting tests such as disaster recovery or simulated attacks without exposing sensitive customer data.

Oblivio – Managing the Data Lifecycle

Oblivio is a tool for central management of data retention and anonymization across the entire organization. It helps define how long personal data (e.g., consents or contracts) may be stored. After this period expires, Oblivio automatically cleans the database. It integrates with other IT systems and triggers data anonymization or deletion once the legal basis expires. Core functionalities include:

Data retention configuration – setting rules for how long specific types of personal data can be stored. After this period, data is marked as expired.
Anonymization and deletion – once retention conditions are met, the system replaces customer data with fictional values (e.g., a synthetic identity) across all related systems. This enforces the “right to be forgotten” and prevents unnecessary data retention.
Reporting and audit – Oblivio provides detailed reports and statistics on deleted or anonymized records, enabling constant monitoring of the data retention policy.
Accountability – every data operation (deletion, modification) is logged, including who performed the action and when. This gives financial institutions a complete audit trail for compliance reviews.

Oblivio helps meet DORA requirements for managing the data lifecycle and ensuring accountability. Automating retention processes reduces human error and ensures that no sensitive data is kept without a legal basis. The detailed logs prove that the institution’s data management policies are properly enforced—critical for audits and compliance checks.

Summary

Implementing DORA in a financial institution requires the synergy of modern data management and security tools.

Detecto and Revelio automatically detect and classify data across systems and documents—supporting DORA’s inventory and asset protection requirements.
Nocturno enables safe testing using anonymized data, ensuring confidentiality is maintained during resilience assessments.
Oblivio manages the full data lifecycle—automating retention, deletion, and audit operations to ensure accountability and compliance.

By using Wizards tools together, financial institutions and ICT providers meet DORA’s technical requirements. At the same time, they strengthen operational resilience and are better prepared for cybersecurity incidents.

How can you break out of this dangerous pattern? The answer is vIn short, Oblivio acts like an intelligent data locator – scanning folders, databases, and cloud environments to identify what sensitive data is stored, where, and on what legal basis. Thanks to integration with Detecto, you can search for sensitive data across all company sources and systems.

As a central retention manager, Oblivio simplifies compliance with the right to erasure. It allows organizations to define clear data retention rules – specifying how long documents like contracts or employee records should be kept and assigning the legal grounds for doing so. Once the period ends, Oblivio automatically deletes or anonymizes the data in line with GDPR. Every action – scanning, anonymizing, deleting – is logged, giving IT and compliance teams full control and traceability.

How Does Oblivio Work?

Oblivio automatically scans files and IT resources for personal data. You can configure it to review selected locations such as network folders, file servers (including SharePoint), cloud libraries (OneDrive, Google Drive), relational databases, and email inboxes. It analyzes documents – even scanned ones – using OCR and advanced natural language processing algorithms, similar to the Detecto tool. This allows Oblivio to detect hidden patterns, such as a national ID or contact information stored in unexpected formats.

Oblivio typically operates in three stages. First, it identifies where personal data is stored and determines the legal basis for retention. Then, it maps relationships between data sources to ensure consistency. Finally, it applies retention rules – defining storage timeframes and legal grounds for processing. The system also answers questions from business owners, like “How long can we keep this data?” or “What’s the legal basis?” Rules are flexible and can be modified anytime to reflect real business processes.

As a result, companies gain full visibility into their data. Oblivio centralizes corporate data and automatically classifies documents by type (e.g., invoice, CV, contract, medical record), eliminating manual cleanup. Instead of browsing dozens of folders, an admin can generate a list of documents with personal data (like national ID, email, or phone number) in one click. The system also creates automated reports and shows where each type of data is stored.

Who Will Benefit?

Oblivio is useful for any organization processing personal data, especially in sectors with large data volumes and strict GDPR regulations. Example use cases:

Finance and insurance: Banks, funds, and insurers handle hundreds of contracts and personal records daily. For them, centralized retention and structured data management are critical for GDPR compliance.
Healthcare and medical sector: Clinics, hospitals, and pharmaceutical firms store highly sensitive patient data that must be protected and deleted once treatment ends.
Public administration: Government offices, municipalities, schools – all manage systems registering citizen data (ID numbers, contact details, service history) and require centralized control over document retention.
Corporations and mid-sized businesses: Companies with multiple departments (HR, IT, finance) and scattered data repositories. This is a classic “where is our data?” scenario – without Oblivio, enforcing a consistent retention policy is difficult.

No matter the industry, any organization prioritizing GDPR compliance and structured data management will benefit from Oblivio.

What Do You Gain by Implementing Oblivio?

Full data visibility: Automated reports show which systems and files contain personal data. You can track retention metrics in real time and easily locate every piece of information thanks to classification.

Order and GDPR compliance: A centralized retention management tool ensures the “right to be forgotten” is implemented consistently across all systems. When data deletion is due, it happens according to predefined rules.

Reduced risk of penalties: Oblivio automatically monitors retention deadlines and deletes outdated data – minimizing GDPR violations. With detailed logs, companies can prove compliance during audits.

Automation and time savings: From scanning to anonymization, all steps are automated. No more manually reviewing hundreds of documents. Saved time can be spent on more valuable tasks.

Accountability and auditability: Every action (deletion, data change) is logged, ensuring full accountability. Managers always know who did what and when – simplifying internal and external audits.

Example Use Case – Data Organization

Imagine a company with two systems: Sales System A and Marketing System B, both containing data about the same customers. When the processing agreement in System A expires. Oblivio detects the loss of legal grounds for retaining the data in both systems. After the configured retention period (e.g., 30 days), the anonymization process begins. The system prompts the system owner for confirmation. Once approved, the customer data in A and B is replaced with a dummy record. The result: personal data is permanently removed and replaced with pseudonymized entries in both applications – ensuring GDPR compliance. Without Oblivio (data organization), this process would require manual work from IT staff – taking days and risking human error.

Contact the Wizards Team

Oblivio puts you in control of your company’s data. It helps you manage scattered resources, reduce GDPR-related risks, and restore order in your IT environment. Ready to organize your business data?
Schedule a call with the Wizards team to see how Oblivio works and supports your business.