Wizards | Current trends and challenges in managing personal data retention in information and communication technology (ICT) systems in the context of NIS2 and DORA requirements

Personal data retention management in ICT systems faces unprecedented challenges resulting from increasingly restrictive regulatory requirements in the field of cybersecurity and personal data protection. The NIS2 Directive and the DORA Regulation introduce new standards for information security and digital operational resilience that directly affect how organisations must manage the information lifecycle, including personal data in particular.

NIS2 focuses on the security and continuity of IT systems, requiring key and important entities to implement advanced ICT risk management procedures, mandatory incident reporting, and the use of encryption and multi-factor authentication. DORA, on the other hand, aimed primarily at the financial sector, imposes detailed requirements for data backup, testing of recovery procedures and management of risks associated with ICT service providers.

In this context, organisations must not only comply with GDPR rules on data minimisation and specific retention periods, but also ensure that their ICT systems are resilient to cyber attacks, enable rapid data recovery and ensure full transparency in information processing. Contemporary trends, such as the automation of data lifecycle management, the use of artificial intelligence for the detection and classification of personal data, and the implementation of Zero Trust architecture, offer new opportunities but also bring challenges related to system integration, data management in multi-cloud environments, and ensuring compliance with multiple overlapping regulations.

Below, we present five key trends and five major challenges facing organisations managing personal data retention in the context of NIS2 and DORA requirements.

Five key trends

1. Automation of personal data lifecycle management

Automation of data retention processes is becoming standard in modern organisations that need to manage vast amounts of personal data while complying with increasingly complex regulatory requirements. Automated data lifecycle management tools optimise the identification, classification and deletion of data in accordance with established retention policies.

IT systems enable the automatic transfer of older data to “cheaper” storage layers, the elimination of unnecessary information, and the assurance that personal data is deleted after the retention period required by law or legitimate business purposes. In the context of NIS2, which requires the implementation of ICT risk management policies and ICT network and system security, automation of retention allows organisations to consistently apply information security principles across their entire infrastructure, including all IT systems.

2. AI-supported detection and classification of personal data

The use of artificial intelligence for the automatic detection and classification of personal data is revolutionising the way organisations identify sensitive information in their ICT systems. Machine learning-based tools can scan both structured and unstructured data, recognise patterns, and detect personal data that may have been overlooked by traditional identification methods.

Algorithms can achieve 95% accuracy in classifying personal data, which significantly outperforms manual methods and reduces the risk of human error. These systems use sentiment analysis and anomaly detection to comprehensively map the locations of personal data across the organisation. In the context of NIS2, which requires thorough knowledge of information resources and the implementation of data security policies, effective data detection is the foundation of retention management.

3. Implementation of Zero Trust architecture in data management

Zero Trust architecture, based on the principle of “never trust, always verify,” is becoming a key trend in securing access to personal data and managing its retention. The Zero Trust model requires continuous verification of the identity of all users, devices and systems at every interaction with data, the application of the principle of least privilege, and network micro-segmentation to limit the potential scope of attacks.

In the context of data retention management, it ensures that only authorised systems and users can initiate data deletion or archiving processes, which is particularly important in light of NIS2 requirements for access control and asset management. Additionally, Zero Trust includes end-to-end data encryption during both transmission and storage, which is required by both NIS2 and DORA.

4. Immutable backups as protection against ransomware

Immutable backups are becoming the industry standard in protection against increasingly sophisticated ransomware attacks that deliberately attempt to destroy backups before encrypting production data. WORM (Write Once, Read Many) technology ensures that once a backup is created, it cannot be modified, deleted or encrypted for a specified retention period – even by administrators with full privileges.

Immutable backups are particularly important in the context of DORA requirements, which require financial institutions to configure backup systems capable of surviving cyber incidents and to regularly test data recovery procedures. NIS2 also requires ensuring the continuity of ICT systems through appropriate business continuity planning, including up-to-date backups and data recovery strategies for ICT systems.

5. Privacy enhancing technologies

Privacy enhancing technologies (PETs) are gaining importance as tools that enable organisations to use data for analytical purposes while maintaining individual privacy. PETs include a range of techniques such as anonymisation, pseudonymisation, differential privacy, federated learning, homomorphic encryption and synthetic data, which allow data to be processed without compromising individual privacy.

In the context of data retention management, PETs offer an alternative to completely deleting data after the retention period has expired. Instead, data can be anonymised or pseudonymised, allowing it to be further used for statistical, research or AI model training purposes, while meeting the GDPR requirements for data minimisation. NIS2 and DORA, by requiring the use of advanced cryptographic measures and data protection, create a favourable environment for the adoption of PETs.

Five key challenges

1. Retention management in multi-cloud environments

Organisations are increasingly using multi-cloud strategies, storing data on different cloud platforms (AWS, Azure, GCP) and with different SaaS providers, which creates enormous challenges for the consistent management of personal data retention. Each cloud provider has its own set of services, APIs, compliance certifications, and security models, making it difficult to implement uniform retention policies across all locations.

The challenge is particularly relevant in the context of the DORA regulation, which requires financial institutions to keep detailed records of all ICT services and systems provided by external suppliers, including the location of data storage supporting critical operational functions. NIS2 also imposes an obligation to manage supply chain security and cooperate with suppliers in assessing risks and implementing appropriate procedures to protect against cyber attacks.

2. Ensuring backups comply with retention policies

One of the most difficult challenges in data retention management is ensuring that personal data is actually deleted from backups as well, and not just from production systems. The problem is particularly complex when an organisation restores a backup after a system failure. Data that has already been retained and deleted from the production system may be restored from an older backup.

DORA imposes detailed requirements for data backup and recovery, including specifying the scope of data covered by the backup, the frequency of backups, and the RTO and RPO for each function. However, meeting these requirements and the GDPR rules on retention simultaneously requires advanced planning and automation. As the Ministry of Digital Affairs pointed out in its guide for the FINTECH sector, not deleting data from backups may be justified for technical reasons, but organisations must demonstrate that the costs and effort of selective deletion are disproportionate to the risk.

3. Shadow IT and discovering unknown data repositories

Shadow IT, i.e. unauthorised (illegal) tools, applications and cloud services used by employees without the knowledge of the IT department, poses a serious threat to the effective management of personal data retention . Personal data can be copied to personal accounts on OneDrive, Google Drive, Dropbox or stored in unapproved SaaS applications, completely bypassing corporate retention and security policies.

The problem is particularly relevant in the context of the NIS2 Directive, which requires a thorough inventory of all IT resources and the implementation of asset management measures. DORA also imposes an obligation to keep a detailed record of all ICT services, including contracts with suppliers and data storage locations. Shadow IT creates “invisible” repositories of personal data that are not covered by standard retention processes, exposing the organisation to GDPR violations and the inability to fully comply with data access requests (DSAR) or the right to be forgotten.

4. Data minimisation versus business and regulatory needs

The principle of data minimisation, which is the foundation of the GDPR and requires the collection of only data necessary for specific purposes, often conflicts with the business needs of organisations that want to collect as much data as possible for analysis, personalisation of services or development of AI-based products. At the same time, many regulatory provisions (e.g., tax regulations, labour law, sectoral requirements) impose an obligation to store certain categories of data for long periods, which may be contrary to the principle of minimisation.

In the context of NIS2 and DORA, organisations must also retain certain data relating to security incidents, system logs and ICT risk management documentation for the periods specified in the regulations. The challenge is to find a balance between different, sometimes conflicting requirements and to design systems that are flexible enough to handle different retention periods for different categories of data and processing purposes, even when the same personal data is processed in multiple contexts simultaneously.

5. Migrating legacy systems while maintaining compliance

Many organisations still base their operations on outdated legacy ICT systems that were not designed with modern requirements for personal data protection, automatic retention or advanced security measures required by NIS2 and DORA in mind. Migrating data from these systems to a modern cloud infrastructure while maintaining compliance with GDPR, NIS2 and DORA is one of the most complex technical and organisational challenges.

Legacy systems often store personal data in unstructured formats, without proper tagging or classification, making it difficult to identify data subject to retention. In addition, older systems may not offer native encryption, access control or audit functions required by NIS2 and DORA. The migration process must ensure that no personal data is lost, compromised or accidentally disclosed, and that all retention periods are correctly transferred to the new system.

Summary

Managing personal data retention in ICT systems in the context of NIS2 and DORA requirements requires organisations to take a strategic approach combining advanced technologies, clear and practical policies, and continuous compliance monitoring. Trends such as automation, AI-powered data discovery, Zero Trust, immutable backups and PETs offer powerful tools to meet these challenges, while issues related to multi-cloud, shadow IT, data minimisation and data migration from legacy systems require thoughtful planning and collaboration between IT, compliance and business departments.

The key to success is to treat retention management not as an isolated regulatory requirement, but as an integral part of an organisation’s cybersecurity and operational resilience strategy. Tools such as Oblivio, Nocturno, Revelio and Detecto offered by Wizards provide comprehensive support for the automation of retention, anonymisation, monitoring and detection of personal data, helping organisations meet GDPR, NIS2 and DORA requirements in a consistent and effective manner.

ICT Outsourcing and New Obligations under DORA

ICT outsourcing that supports critical or important operational functions is now one of the most complex and sensitive areas of compliance under the DORA regulation. Although the financial sector has relied on external IT providers for years. It must now effectively oversee not only the primary service provider but also the entire network of subcontractors. Including infrastructure vendors, integrators, fintech firms, or non-EU hyperscalers.

Key Challenges According to Compliance Departments

Compliance experts point to several recurring challenges. One of them is the lack of transparency and visibility between subsequent parties in the supply chain. The complex structure of relationships between ICT providers often limits effective oversight of all process participants.

Many financial institutions are forced to renegotiate existing contracts with providers to incorporate new regulatory requirements. However, they often face limited openness from partners – especially global cloud providers who hold a strong negotiating position, making agreement difficult.

Another issue is the checklist-based approach to due diligence, where responses are superficial and not backed by real risk analysis. In such cases, there is a risk of apparent compliance without real control over service quality and security.

Organizations must also build early warning systems that enable rapid assessment of changes in the subcontracting chain. Their impact on business continuity and overall risk profile. In capital groups operating across multiple markets, an additional challenge arises from inconsistent subcontracting policies, especially outside the EU.

RTS 2025/532: Specific Requirements for Financial Institutions

In response to these challenges, the European Commission published Delegated Regulation 2025/532. Defining Regulatory Technical Standards (RTS) on ICT outsourcing and subcontractor management. Article 5(1) states:

“Financial entities shall implement operational risk management frameworks covering the entire chain of ICT subcontractors, regardless of their location and level of dependency.”

The regulation emphasizes that a financial institution cannot transfer compliance responsibility – even when ICT services are further subcontracted. Before signing a new agreement (or amending an existing one), a thorough due diligence must be conducted, assessing each subcontractor’s technical, financial, and security capabilities.

Institutions must also maintain a comprehensive register of all supply chain entities, monitor their activities, and evaluate associated risk levels, considering geographical reach and the complexity of relationships. Importantly, under Article 6(3):

“Financial entities shall include in outsourcing contracts provisions related to audit rights, reporting requirements, and conditions for termination in case of risk levels exceeding acceptable thresholds.”

This requires contracts to include specific clauses on permissible subcontracting, change notifications, objection rights, and the ability to terminate the contract.

For parent entities operating within capital groups, it is crucial to ensure consistent ICT outsourcing policies across the organization – including beyond the EU. This involves unifying collaboration principles with providers, implementing common procedures. Conducting internal training and audits to ensure compliance with DORA.

What Should Compliance Managers Do?

Compliance teams must act swiftly and decisively. Reviewing current outsourcing policies should be paired with mapping the entire supply chain, identifying key risk areas, and updating contract terms accordingly.

Special attention should be given to non-EU providers, entities with strong negotiating leverage, and cloud infrastructure operators. Well-prepared institutions will not only ensure DORA compliance but also strengthen operational resilience, reduce systemic risk. And improve collaboration quality with external service providers.

In an era of growing digitalization and globalization. Effective ICT outsourcing management becomes one of the key pillars of financial sector security.

Wizards’ Support in ICT Outsourcing Management

The Wizards team supports organizations in assessing ICT outsourcing risks, preparing RTS-compliant contracts, and creating monitoring and reporting mechanisms. If you need practical assistance – get in touch.

Implementing DORA in a financial institution requires full compliance with the principles of digital operational resilience. The DORA regulation (2022/2554) obliges banks and their ICT service providers to continuously manage operational risk and cybersecurity. These requirements include the thorough identification and classification of all ICT assets, such as servers, applications, databases, and documents. Institutions must also document the relationships between these assets.

DORA mandates the implementation of IT incident handling procedures—from detection and analysis to system recovery. Any major cyber event must be reported according to official guidelines. Institutions are also required to regularly test system resilience, for example through penetration testing. Strict enforcement of data retention policies is equally crucial: data cannot be stored longer than legally permitted. Every change to the IT infrastructure must be logged and auditable.

Detecto – Data Identification and Risk Management

Detecto is a tool that automates the detection and classification of sensitive data in a company’s systems and documents. It uses AI technologies (OCR and NLP) to scan corporate resources (files, databases, emails) for personal and sensitive information. This makes it fully aligned with DORA’s requirement to identify all informational assets. Detecto enables organizations to:

Detect all instances of personal data (e.g., national ID numbers, addresses, bank accounts) in documents and databases—reducing weeks of manual work to just a few hours of automated analysis.
Generate reports that locate personal data assets—significantly simplifying internal and external audits (e.g., for DORA or GDPR compliance).
Analyze incidents—if a data breach occurs, Detecto can quickly identify whether sensitive information was involved and what type of data was exposed.

By offering these capabilities, Detecto supports effective information risk management. It automatically builds a catalog of critical data and their storage points, helping institutions assess potential threats. This enables better planning of ICT risk mitigation activities and supports DORA’s requirements for protecting assets from unauthorized access or damage.

Revelio – Detection of Unauthorized Resources and Data

Revelio scans shared file storage, employee computers, and email accounts to identify documents containing sensitive data. It uncovers “hidden” resources—files and folders containing personal data that were not previously included in official systems. Revelio helps institutions to:

Locate all documents with personal data (e.g., national IDs, medical or financial records) stored on company devices—providing visibility and enabling better protection.
Identify business processes that generate sensitive documents—supporting the transition to digital workflows and reducing risks associated with paper-based or uncontrolled data sources.
Support data retention policies—integrating with document deletion (anonymization) procedures once the retention period has expired. The system flags such files for archiving or deletion, helping to meet DORA and GDPR requirements.
Build employee awareness—through oversight and reporting features that delegate data security responsibility across the organization.

Revelio enhances visibility across the data environment and identifies unauthorized information assets. In the DORA context, it ensures no confidential data is “forgotten” within the IT structure. Integrated with Oblivio, it supports full enforcement of data retention policies—once documents with expired legal grounds are detected, Revelio enables their safe removal or anonymization. This ensures compliance with DORA data protection and retention requirements.

Nocturno – Safe Test Environments

Nocturno is a tool for creating secure test environments using anonymized production data. It allows financial institutions to test cyber resilience and business continuity without exposing real customer data. Nocturno uses custom dictionaries and generators to keep the structure of production data. It replaces real values like IDs, tax numbers, or birthdates with fictitious but valid ones. Key features include:

Anonymization across multiple databases while maintaining consistency—Nocturno processes large datasets in parallel and ensures that identical records are anonymized the same way across all systems. This results in realistic test environments (e.g., the same user receives consistent fake data in all databases).
Support for various database types (MySQL, Oracle, SQL Server, etc.) while respecting integrity constraints—Nocturno maintains checksums and table relations to avoid system failures.
Integration with Detecto—first identifying sensitive fields, then automatically anonymizing them according to business rules.

These features minimize the risk of using real personal data during testing or system migrations. DORA requires resilience testing to occur in secure environments while maintaining data confidentiality. Nocturno enables this by supporting tests such as disaster recovery or simulated attacks without exposing sensitive customer data.

Oblivio – Managing the Data Lifecycle

Oblivio is a tool for central management of data retention and anonymization across the entire organization. It helps define how long personal data (e.g., consents or contracts) may be stored. After this period expires, Oblivio automatically cleans the database. It integrates with other IT systems and triggers data anonymization or deletion once the legal basis expires. Core functionalities include:

Data retention configuration – setting rules for how long specific types of personal data can be stored. After this period, data is marked as expired.
Anonymization and deletion – once retention conditions are met, the system replaces customer data with fictional values (e.g., a synthetic identity) across all related systems. This enforces the “right to be forgotten” and prevents unnecessary data retention.
Reporting and audit – Oblivio provides detailed reports and statistics on deleted or anonymized records, enabling constant monitoring of the data retention policy.
Accountability – every data operation (deletion, modification) is logged, including who performed the action and when. This gives financial institutions a complete audit trail for compliance reviews.

Oblivio helps meet DORA requirements for managing the data lifecycle and ensuring accountability. Automating retention processes reduces human error and ensures that no sensitive data is kept without a legal basis. The detailed logs prove that the institution’s data management policies are properly enforced—critical for audits and compliance checks.

Summary

Implementing DORA in a financial institution requires the synergy of modern data management and security tools.

Detecto and Revelio automatically detect and classify data across systems and documents—supporting DORA’s inventory and asset protection requirements.
Nocturno enables safe testing using anonymized data, ensuring confidentiality is maintained during resilience assessments.
Oblivio manages the full data lifecycle—automating retention, deletion, and audit operations to ensure accountability and compliance.

By using Wizards tools together, financial institutions and ICT providers meet DORA’s technical requirements. At the same time, they strengthen operational resilience and are better prepared for cybersecurity incidents.

1. What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation aimed at strengthening the digital resilience of financial institutions. It imposes obligations related to ICT risk management, system resilience testing, and reporting of cyber incidents.

2. Who is affected by DORA regulations?

The regulation applies to a wide range of entities, including banks, investment firms, payment institutions, crypto-asset service providers, and external technology providers offering services to the financial sector.

3. When does DORA come into effect?

DORA came into force on January 16, 2023, but full compliance will be mandatory from January 17, 2025. Financial institutions have a two-year transition period to implement the required procedures.

4. What are the main requirements of the regulation?

Implementation of ICT risk management strategies.
Testing the digital resilience of IT systems.
Reporting cyber incidents.
Managing risks related to technology providers.
Sharing threat intelligence within the financial sector.

5. What penalties apply for non-compliance with DORA?

Failing to comply with DORA can result in high financial penalties, reaching several million euros. Companies also face increased risks of cyberattacks and loss of trust from clients and business partners. In extreme cases, regulators may impose operational restrictions or enforce additional supervisory measures.

6. How to prepare a company for DORA compliance?

Conduct an audit of IT security policies.
Implement cybersecurity testing and monitoring systems.
Train employees on the new regulations.
Develop ICT incident management plans.

7. What impact does DORA have on the financial sector?

DORA raises IT risk management standards and enforces a priority focus on cybersecurity. Financial institutions must adopt stricter system monitoring procedures and conduct regular cybersecurity resilience tests.

Mandatory penetration testing will help detect security vulnerabilities.
Faster incident reporting will improve transparency and accountability.
Stricter oversight of technology providers will require audits and security assessments.

As a result, DORA will enhance data security for customers and improve the sector’s resilience to cyber threats.

8. Does DORA affect cooperation with IT service providers?

Yes. Financial institutions must closely monitor technology providers, conduct audits, and enforce compliance with DORA regulations.

9. Key Steps to Implement DORA in a Company

Regulatory compliance analysis – Conduct an audit of IT systems and security policies.
Updating security procedures – Align ICT risk management standards with DORA requirements.
Implementing monitoring and testing tools – Ensure resilience against cyber threats.
Employee training – Raise awareness of the new regulations.
Developing incident reporting procedures – Enable effective threat response.

10. Challenges in Implementing DORA

Implementation costs – New standards may require significant investments.
Lack of ready-made solutions – Not all companies have adequate IT structures in place.
Integration with providers – Audits and system adaptations may affect business partnerships.
Organizational culture change – Effective implementation requires commitment from management and staff.

11. Why Take Action Now?

Although full DORA compliance will be mandatory from 2025, companies should start preparing as soon as possible.

Early implementation helps avoid penalties and strengthen cybersecurity.
Companies that have already adopted DORA gained greater operational stability and better reputations.
Advanced threat monitoring systems will allow faster response to attacks.

By implementing DORA now, organizations can avoid last-minute investments and better protect their systems from increasing cyber threats.

The Digital Operational Resilience Act (DORA) is a European Union regulation that now applies to all financial institutions. Its primary goal is to enhance the financial sector’s resilience to digital threats. Cyberattacks have become one of the key challenges for the industry in recent years. DORA financial regulations – learn more.

The new regulations introduce unified ICT (Information and Communication Technology) risk management principles. Their purpose is to ensure financial market stability. Additionally, they enhance customer protection against cyber threats.

DORA not only imposes obligations on financial institutions but also changes the way they approach cybersecurity. The new rules require the implementation of comprehensive risk management systems and IT infrastructure resilience testing against various types of attacks. Institutions must take specific steps to comply with these regulations. Non-compliance may result in heavy financial penalties and a loss of trust from customers and business partners.

What Requirements Must Financial Institutions Meet?

DORA mandates financial institutions to implement new ICT risk management procedures to strengthen resilience against cyber threats. This includes internal organizational processes and oversight of external providers offering IT services to the financial sector. Companies must apply strict data protection mechanisms, ensure business continuity, and regularly test the resilience of their systems.

The new regulations emphasize cyber incident reporting and the implementation of preventive measures against future attacks.

Companies must develop strategies for responding to cyber threats. They should also implement communication procedures that enable rapid reporting of irregularities to regulatory authorities.

DORA also highlights managing ICT service providers. Financial institutions must carefully assess risks related to external IT systems and conduct compliance audits with the new regulations.

What Happens to Companies That Do Not Comply with DORA?

Non-compliance with DORA carries serious consequences. It can impact both financial stability and the reputation of financial institutions.

Financial penalties are just one part of the problem. An even greater threat is the increased vulnerability to cyberattacks. These attacks can result in customer data theft, operational paralysis, and even significant financial losses.

Failing to comply with DORA also weakens trust among customers and business partners. In today’s world, data security is a key factor in choosing financial services. Companies that fail to meet the new requirements risk losing competitiveness in the market.

Financial institutions must act quickly to comply with regulations. Only in this way can they avoid severe consequences of negligence.

How to Meet DORA Requirements?

Adapting to DORA requires a comprehensive approach and the involvement of the entire organization. The first step should be a detailed review of IT security policies and an assessment of the current resilience of systems to cyber threats. Companies should also audit their ICT service providers to ensure compliance with regulatory requirements and eliminate any potential security risks.

Cybersecurity testing is another key component of DORA compliance. Companies should regularly conduct penetration tests and vulnerability assessments to identify and eliminate weaknesses in their systems. Implementing new incident management procedures is essential to ensure a quick and effective response to potential threats.

Employee training is also crucial for DORA preparation. Cyber threat awareness and knowledge of incident response procedures must be at a high level for the entire organization to function in accordance with the new regulations. Companies should also invest in modern threat monitoring tools and automate security management processes. This will enable continuous risk analysis and minimize potential damages.

DORA – A New Reality for the Financial Sector

DORA financial regulations is changing how financial institutions manage their ICT systems. It places a strong focus on security, operational resilience, and digital risk management.

The new regulations are already in effect. Companies that have not yet adjusted should quickly implement the necessary procedures. Non-compliance increases the risk of cyberattacks and may also lead to legal and financial consequences.

The financial sector has no choice—it must adapt to these new realities. This requires a strategic and long-term approach to digital resilience.

DORA is not just an obligation. DORA financial regulations are also an opportunity to improve security and risk management. Companies should approach these changes with full commitment. By doing so, they will not only meet regulatory requirements but also build a stronger and more resilient organization prepared for future challenges.