Essential criteria for a backup vendor in the face of NIS2

ComplianceMay 17, 2024 | 6 minutesBy Mikkel Oxfeldt

With the NIS2 Directive deadline approaching, businesses face heightened scrutiny over their cybersecurity measures and data protection practices. Central to NIS2 compliance is the assurance of uninterrupted business operations and the safeguarding of critical data through backup management and disaster recovery strategies.

As organizations prepare to meet the stringent requirements outlined in NIS2, selecting a suitable backup vendor is fundamental to successful compliance. In this article, I’ll provide recommendations for building a vendor checklist to help ensure that essential and important entities are well-equipped to protect their data and maintain business continuity in the face of evolving cybersecurity threats. (Read more about NIS2 requirements.)

If you aren’t quite to the vendor-selection step yet, there’s also a data protection best practices checklist below to help you along in your data protection and NIS2 compliance journey.

A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.

NIS2 Directive

Vendor checklist for NIS2 compliance

Integral to fulfilling the business continuity mandate via backup management and disaster recovery is finding a backup vendor that can fulfill the requirements. When evaluating a backup vendor, you should consider the following:

  • Disaster Recovery (DR) policy documentation: A documented Disaster Recovery (DR) policy serves as a roadmap for managing business operations during and after security incidents. It outlines strategies and procedures for ensuring data continuity and resilience, including backup and recovery protocols. Ensure the backup vendor has a documented DR policy in place.

  • Data residency control: Data residency control allows organizations to specify where their data and backups are stored (data sovereignty), ensuring compliance with regional laws and regulations such as GDPR. Verify that the backup vendor allows you to control where your data backups reside.

  • Vendor-independent cloud: Storing copies in the same logical or physical infrastructure exposes you to risk. By adhering to the 3-2-1 backup rule, storing backups on a logically separate infrastructure eliminates risks associated with keeping copies in primary environments and provides true backup. Choose a cloud backup provider that ensures separation from SaaS vendors. Employ air-gapping measures to safeguard against data loss during public cloud unavailability and prevent ransomware attacks.

  • Security certifications: ISO 27001 certified backup and recovery solutions meet the most comprehensive certification requirements possible.

  • Immutability and encryption: Immutability and encryption are essential security measures for protecting data at rest and in transit. Immutability ensures that backups cannot be deleted or manipulated, while encryption safeguards data from unauthorized access and cyber threats, maintaining data integrity. Prioritize vendors that leverage immutability and encryption security measures for data at rest and in transit.

  • Automated, incremental backups: Automated, incremental backups performed multiple times a day provide a proactive approach to data continuity. By having the most up-to-date data available and easily restorable, organizations can minimize the risk of data loss in the event of unforeseen disasters. Choose a vendor that offers automated, incremental backups multiple times a day.

  • Logging and reporting: Comprehensive logging and reporting features enable organizations to track and monitor backup operations effectively. Transparency and accountability in backup processes facilitate compliance with NIS2 requirements and provide insights for optimizing backup strategies.

  • Access control and monitoring: Access control and monitoring mechanisms allow organizations to manage and monitor access to their backup infrastructure. Implementing robust access controls reduces the risk of unauthorized access and enhances overall data security by limiting access to authorized personnel.

  • Regular testing and documentation: Regular testing of backup and recovery processes is essential for validating their effectiveness and maintaining compliance with NIS2 standards. Documentation of testing procedures and results provides evidence of compliance and helps identify areas for improvement in backup strategies.

Best practices for creating a holistic backup policy

If, however, you aren’t quite at the stage of choosing a backup provider, here’s a checklist which covers data protection best practices to get yourself prepared for the step of selecting a backup vendor:


1. Identify critical business processes and systems that hold that critical data: Start your backup policy by meticulously identifying critical business processes and data crucial for business continuity. This includes safeguarding customer data, financial records, and intellectual property, aligning with GDPR compliance and ISO 27001 certification.

2. Protect identity systems: Recognize the central role of Identity Systems (such as Entity ID and Okta) in user authentication and authorization data. Protecting these systems is paramount to reducing the risk of unauthorized access and data breaches. This practice aligns with NIS2 compliance, acknowledging the critical nature of identity systems.

3. Ensure regular backups: Implement a well-structured backup schedule or automated scheduling to ensure regular backups. This proactive approach safeguards data continuity in the face of unforeseen disasters, aligning with ISO 27001 checklist requirements.

4. Establish retention periods: Determine backup retention periods based on recovery objectives and compliance mandates. Craft retention schedules, especially for data protection compliance, ensuring adherence to legal requirements for data purging as needed.

5. Define recovery procedures: Delineate clear procedures for restoring data following a loss. Specify responsibilities, access protocols, and determine the priority of data recovery, aligning with ISO 27001 audit standards.

6. Test backups regularly: Regularly test backups to verify their ability to be swiftly and accurately restored in the event of data loss. Ongoing testing helps identify and rectify issues, meeting ISO 27001 compliance and NIS2 cybersecurity standards.

7. Implement Map-Prioritize-Test framework: Integrate the Map-Prioritize-Test framework into your backup policy. Assess and analyze critical infrastructure across various environments, prioritize crucial data for business continuity, and regularly test the backup system for confidence in your dynamic disaster recovery plan.

8. Choosing a backup and disaster Recovery partner: After implementing the framework, you’re now ready to explore solutions tailored to your requirements. When selecting a vendor, adhere to industry best practices for data protection, as was covered in the vendor checklist above.

A well-structured backup policy is indispensable in any organization's IT strategy, serving as a safeguard against data loss or corruption. It provides assurance that critical data remains protected, retained, and recoverable in a timely manner. By adhering to these best practices, organizations can bolster their data resilience, uphold their commitment to data security, and navigate the complexities of compliance in the modern digital landscape.


Selecting the right backup vendor is a critical step in ensuring compliance with the NIS2 Directive. By following the checklist of best practices outlined in this article, businesses can mitigate risks, safeguard critical data, and maintain operational resilience in the face of cybersecurity threats. As the deadline for NIS2 compliance approaches, businesses must prioritize the selection of a backup vendor that meets their specific requirements and aligns with industry best practices.


A backup provider not only ensures compliance with regulatory requirements but also strengthens overall data protection efforts in today's digital landscape. Ultimately, selecting a backup vendor is more than a compliance checkbox; it's an investment in the long-term security and resilience of your organization's data infrastructure. By adhering to the recommendations provided here, businesses can mitigate risks, safeguard critical data, and navigate the evolving landscape of cybersecurity threats with resilience and confidence.

Want to keep learning? Check out our on-demand webinar "Prepare for NIS2: Business continuity is critical. Here's how to get it right" hosted by Søren Skibsted, Dr. Andreas Rebetzky, and myself, Mikkel Oxfeldt.

On-demand NIS2 webinar


Mikkel Oxfeldt is General Counsel, Attorney-at-law at Keepit. He started his career in private practice in 1999 advising IT-services providers and Telecoms and has been individually named in Legal 500. Later moved inhouse having various roles ranging from medium-sized scaleups to large, listed businesses. Mikkel has built the legal department at Keepit with the mantra of providing commercially sound legal advice in a timely fashion. Mikkel joined Keepit in 2020 together with the A-round funding from One Peak Partners.