Decision guide · Backup, Recovery and Disaster Recovery
Choosing a backup and DR solution under NIS2, DORA and BAIT
A backup and disaster recovery decision rarely stands alone. Ransomware resilience, immutability, fast recovery of critical services, and EU data residency are the four axes every solution succeeds or fails on. NIS2 Art. 21 (c) and DORA Art. 11 expect documented BCM and recovery strategy with tested backups, not just a backup product.
TL;DR
A 2026 backup decision is a ransomware decision. Immutability and tested recovery are non-negotiable dealbreakers.
Who owns this decision
CIO and CISO jointly, with Data Protection, Operations, application owners and the management body in the steering group. Add CRO and Audit under DORA scope.
Key criteria to weight
Immutability and air gap
Ransomware can co-encrypt modern backup repositories. Real WORM or air-gap is a dealbreaker.
RTO and RPO per service
BIA-driven. Without RTO/RPO values the solution is not measurable.
EU data residency and key custody
Required under DORA Art. 28-30 for critical functions.
Recovery testing automation
DORA Art. 11 and NIS2 Art. 21 require regular testing. Manual is not scalable.
Scaling per TB and per VM/workload
Economically critical, shapes contract price and escalation path.
Integration into SIEM and SOC
Backup anomalies (restore failures, tampering) must reach the detection stack.
Step-by-step decision flow
- 1
BIA and scope
Business Impact Analysis per critical application, RTO/RPO values, data classes. 3-year volume and growth estimate.
- 2
Architecture decision
3-2-1-1-0 rule or the modern 4-3-2 architecture. On-prem vs. cloud vs. hybrid. Sovereign cloud question.
- 3
Vendor longlist
Leaders Veeam, Rubrik, Cohesity, Commvault, Veritas. Plus cloud-native Druva, AWS Backup, Azure Backup, Google. Plus DACH players such as SEP.
- 4
Shortlist and PoC
3-5 vendors, each running a recovery test of a real critical application under load.
- 5
Memo and approval
Decision memo with criteria, dealbreakers, stakeholder alignment, residual risks. Readiness Score > 70 before procurement approval.
Compliance note
NIS2 Art. 21 (c) requires business continuity, backup management and crisis management. DORA Art. 11 requires a business continuity policy with tested backups, recovery and failover plans. BAIT BTO 4 demands emergency concepts and restart tests. Mandatory evidence: BIA, backup concept, recovery plan, test logs, documented vendor decision.
Common pitfalls
- !Backup software is bought, the BCM concept follows later. Reverse the order.
- !Immutability is assumed because 'cloud'. WORM or true air gap must be contractually and technically proven.
- !Recovery tests are promised but never run. The audit finds no test logs. NIS2/DORA finding.
- !Key custody stays with the vendor. CLOUD Act risk unaddressed.
FAQ
What is the 3-2-1-1-0 rule?
Three copies of the data on two different media, one offsite, one offline or immutable, zero errors in regular recovery tests. Extension of the classical 3-2-1 rule for ransomware resilience and test discipline.
Is cloud backup enough for NIS2 and DORA?
Only if immutability is provable, key custody is clearly arranged, and recovery tests are documented. Pure cloud backups without an air gap are usually not enough since they can be co-encrypted on identity compromise.
How often must recovery be tested?
DORA Art. 25-26 requires annual resilience tests. NIS2 Art. 21 requires regular effectiveness assessment. Practice: quarterly restore tests for critical apps, annual end-to-end DR test across the stack.
Related decision guides
Compliance
How to reach NIS2 readiness as a mid-market or enterprise operator
Compliance
How to reach DORA readiness as a financial entity
Compliance
ISO 27001:2022 recertification: a structured migration and renewal guide
Security
How to choose an EDR or XDR platform in 2026
Security
How to choose an IAM, IGA and PAM stack
Related comparisons
DecisionOS vs Excel and slide decks
Spreadsheets work until the second stakeholder shows up.
DecisionOS vs RFP tools
RFP tools automate Q&A. DecisionOS runs the decision.
DecisionOS vs procurement suites
Procurement suites execute the purchase. DecisionOS makes the decision.
DecisionOS vs Notion
Notion stores knowledge. DecisionOS produces decisions.
DecisionOS vs Confluence
Confluence is a wiki. DecisionOS is a decision record.
Relevant industries
Banken & Finanzdienstleister
Banken entscheiden unter DORA, MaRisk, BAIT gleichzeitig. DecisionOS liefert das Memo, das alle drei Prüfer akzeptieren.
Versicherungen
Versicherer entscheiden unter DORA + Solvency II + VAIT gleichzeitig. Ein Memo-Format für alle drei.
Gesundheitswesen
Gesundheitswesen: KRITIS + NIS2 + B3S + DSGVO Art. 9. DecisionOS macht das Memo prüfbar.
Energieversorger
Energieversorger: KRITIS + IT-SiG 2.0 + NIS2 + branchenspezifische Sicherheit. Memo muss vor BSI und BNetzA bestehen.
Manufacturing & Industrial
Manufacturing is a NIS2 important entity. OT security and supply-chain diligence are mandatory. The decision memo is the audit standard.