Backups are a cornerstone of cyber resilience and a core requirement under the EU’s NIS2 Directive for business continuity and disaster recovery. However, backups are often misunderstood and overestimated in their ability to protect against ransomware. According to ENISA, 94% of ransomware attacks include attempts to compromise backup systems, and in more than half of these incidents, the attackers succeed. The cost of recovery rises significantly when backups are lost, with estimated recovery costs exceeding €2.7 million per incident. For organisations in scope under NIS2, the ability to restore operations securely and reliably is no longer a best practice; it is an obligation.
Backups Are a Target, Not a Guarantee
Ransomware groups now prioritise destroying or encrypting your backups as part of their attack. Once they breach your environment, they search for administrative credentials and exploit lateral movement to reach backup systems. Common vulnerabilities include:
- Storing backups on the same network or domain as production systems
- Using the same credentials for backup and operational infrastructure
- Cloud backups without isolation or immutability
If your backup environment can be accessed using compromised production credentials, then it is not resilient. During an attack, this connectivity can render your recovery options useless.
“Too many organisations think backup equals resilience, but that is no longer true in today’s threat landscape. Your backups must be isolated, validated, and tested regularly. If ransomware can reach them, they are part of the problem, not the solution.”
— Barry Rooney, CTO, CommSec Cyber Security
What NIS2 Expects From You
Article 21 of the NIS2 Directive requires organisations to adopt technical and organisational measures, including “business continuity, crisis management, and disaster recovery, such as backup management and disaster recovery plans.” This reinforces the need not only to maintain backups, but to ensure they are separated, protected, and functional in a crisis.
To comply with the NIS2 Directive, and to defend your business, your backup strategy should be built on three principles: isolation, immutability, and restricted access.
Building Ransomware-Resilient Backups
- Use Isolated or Air-Gapped Copies
Backups should be kept separate from your main network, either physically or logically. Air-gapped backups involve writing data to media that is disconnected once the process is complete, such as removable drives or tape. A logically isolated network with independent authentication and minimal connectivity can also reduce exposure. - Apply Immutability Controls
Immutable backups are stored in a way that prevents them from being changed or deleted for a set period. Many backup solutions now offer this feature, including AWS S3 Object Lock, Azure Immutable Blobs, and other cloud and on-prem solutions. Immutability ensures that even a compromised administrator account cannot erase protected data. - Separate Credentials and Limit Access
Do not use shared administrative accounts for backups and production systems. Configure dedicated credentials for your backup infrastructure, implement role-based access control, and apply multi-factor authentication. Backup networks should be segmented and monitored to prevent unauthorised access.
Follow the 3,2,1,1,0 Rule
Modern best practice is often summarised by the enhanced backup strategy known as 3,2,1,1,0:
- 3 copies of your data
- 2 different storage types (e.g. disk and cloud)
- 1 copy stored offsite
- 1 copy that is offline or immutable
- 0 errors, confirmed through regular recovery testing
This approach provides layered protection against failures, compromise, and ransomware encryption.
Why Mid-Sized and Essential Service Providers Are Vulnerable
Organisations in sectors such as healthcare, logistics, education, and local government often lack internal security expertise or dedicated backup roles. Backups may be configured through managed service providers or legacy systems, offering attackers a weak link. Under the NIS2 directive, these organisations are expected to meet a higher standard of care and continuity.
Test Your Recovery Plans
A backup that cannot be restored is worthless. Recovery testing confirms the integrity of your backups and should be carried out regularly. ENISA and the UK’s NCSC recommend periodic restore drills as part of incident response preparation. Consider running simulated ransomware scenarios to measure your recovery time and identify gaps in access or procedures.
Conclusion
The NIS2 Directive has raised the bar for cyber resilience across the EU. Backups must now be treated as critical infrastructure, not just a routine IT task. A ransomware-resilient backup strategy should include offline or immutable storage, credential separation, and regular testing. These steps not only meet regulatory expectations, they protect your ability to recover and continue operations.
For Heads of IT and CISOs, the message is clear, your backup is only as strong as your isolation strategy. Act now to assess your organisation’s posture and address gaps before an incident forces the issue.
Check out our NIS2 CDP Accredited online Training here.