The Iran war has put IT resilience into sharp focus these last six weeks. IT policies like disaster recovery and business continuity plans are being put to the test and scrutinised by company boards. The humble backup is still central to a resilient IT infrastructure.
For regulated firms in Dubai’s DIFC and Abu Dhabi’s ADGM, backup is not merely an IT housekeeping task. It sits at the heart of business continuity, disaster recovery, and data integrity obligations under the DFSA and FSRA frameworks respectively.
The DFSA takes an outcome-focused approach. Its rules require adequate business continuity arrangements, regular resilience testing, credible recovery capability, and true separation from shared infrastructure dependencies. It does not prescribe specific backup cadences or retention numbers, leaving firms to document those choices by dataset and business service.
The FSRA is more operationally explicit. Its IT Risk Management Guidance spells out that firms must define backup frequency, retention periods, archival procedures, and restoration testing processes. Retention must be linked to data classification, business need, and regulatory obligation – not left as a default setting inside a backup product.
Neither regulator mandates a single universal backup schedule. The FSRA points firms toward recovery point objectives (RPOs) and recovery time objectives (RTOs), derived from business continuity analysis of critical services. A firm that calibrates backup frequency to system criticality and acceptable data loss tolerances is far closer to regulatory expectations than one running a blanket nightly job. The DFSA expects the same logic implicitly: retention should be long enough to satisfy legal and operational needs, and to preserve clean restore points if ransomware or corruption is detected late.
Both regulators treat geographic and infrastructural separation as non-negotiable. The DFSA explicitly warns against common-mode failure, requiring that alternative data centres do not share the same infrastructure or service provider as primary systems. The FSRA goes further, requiring geographically separated redundant data centres on different physical infrastructure, including distinct telecommunications and utilities providers. A secondary copy in the same cloud region or behind the same network path does not meet this standard.
Paper resilience satisfies neither regulator. The DFSA requires a comprehensive, regular testing programme covering vulnerability assessments, penetration tests, scenario-based exercises, and incident response simulations. The FSRA mirrors this and raises the bar further: firms should, where possible, actually operate from recovery arrangements to prove the model works in practice, with senior management and relevant third parties involved.
The bottom line: firms that can demonstrate – with evidence – how long backups are kept, how often they run, where they are stored, how they are protected, and when they were last successfully restored will be well-positioned under both frameworks.