Data Sovereignty After NIS2 and DORA: What Backup Teams Need to Know

Written by

Gary Pigott

in

Data Sovereignty After NIS2 and DORA: What Backup Teams Need to Know

For years, backup strategy was primarily driven by cost, recovery speed, and storage efficiency.

Today, that’s no longer enough.

Across Europe, regulations like the EU’s NIS2 Directive and the Digital Operational Resilience Act (DORA) are reshaping how organisations think about resilience, operational risk, and — critically — data sovereignty.

For backup and recovery teams, this marks a significant shift.

The conversation is no longer simply:
“Can we recover the data?”

It is increasingly:

  • Where is the data stored?
  • Who can access it?
  • Which legal jurisdiction applies?
  • How resilient is the service provider?
  • And can we prove operational recoverability under regulatory scrutiny?

Backup infrastructure has become part of the compliance perimeter.

Why Data Sovereignty Suddenly Matters More

Data sovereignty is not a new concept. But NIS2 and DORA have elevated it from a legal or procurement concern into an operational resilience issue.

That distinction matters.

Organisations are now expected not only to protect data, but also to understand:

  • where critical systems and backups reside,
  • how third-party providers operate,
  • and what happens if those providers fail, suffer outages, or fall under foreign jurisdictional pressures.

For many organisations, especially those heavily invested in global cloud platforms, that creates uncomfortable questions.

A backup copy stored “in Europe” does not automatically mean sovereign control exists.

NIS2 Raises the Baseline for Operational Resilience

The NIS2 Directive significantly expands cybersecurity obligations across the EU, affecting sectors including:

  • healthcare,
  • energy,
  • transport,
  • digital infrastructure,
  • manufacturing,
  • public administration,
  • and managed service providers.

One of the most important changes is accountability.

Organisations are now expected to demonstrate:

  • risk management measures,
  • incident response capabilities,
  • business continuity planning,
  • supply chain security,
  • and disaster recovery preparedness.

Backups are no longer viewed as passive infrastructure. They are part of an organisation’s resilience capability.

This means backup teams must increasingly answer questions like:

  • Can recovery operations continue during a supplier outage?
  • Are backup credentials isolated?
  • Can ransomware compromise recovery platforms?
  • Are recovery procedures regularly tested?
  • Is sensitive data replicated outside approved jurisdictions?

These are operational resilience questions — not just storage questions.

DORA Changes the Conversation for Financial Services

While NIS2 applies broadly, DORA specifically targets financial institutions and their ICT providers.

Its focus is clear:
financial organisations must be able to withstand, respond to, and recover from severe operational disruptions.

That includes cyberattacks, cloud outages, third-party failures, and systemic technology risks.

Under DORA, firms are expected to:

  • continuously test resilience,
  • assess third-party ICT risk,
  • maintain robust recovery capabilities,
  • and document operational dependencies.

This has major implications for backup architecture.

Financial institutions must increasingly evaluate:

  • cloud concentration risk,
  • dependency on single vendors,
  • cross-border data replication,
  • recovery testing maturity,
  • and the operational resilience of backup providers themselves.

The days of treating backup storage as a simple commodity are ending.

The Cloud Sovereignty Grey Area

One of the biggest misconceptions in modern backup strategy is the assumption that regional hosting automatically guarantees sovereignty.

It often does not.

A platform may store data within the EU while still being operated by:

  • a non-EU parent company,
  • foreign support personnel,
  • or infrastructure subject to external legal frameworks.

For regulated industries, this creates a governance challenge.

Questions increasingly being asked by security and compliance teams include:

  • Who ultimately controls encryption keys?
  • Can foreign entities compel access?
  • Where are support operations based?
  • How is metadata handled?
  • What jurisdictions govern incident response operations?

Backup teams now need visibility beyond the storage location itself.

Recovery Is Becoming a Compliance Function

Historically, recovery testing was often informal or infrequent.

That is changing rapidly.

Both NIS2 and DORA push organisations toward demonstrable operational resilience:
not theoretical recovery, but proven recovery capability.

This means organisations must increasingly validate:

  • recovery times under pressure,
  • dependency mapping,
  • ransomware recovery workflows,
  • backup integrity,
  • and cross-functional crisis coordination.

In practice, many organisations are discovering that recovery complexity — not backup failure — is their biggest operational weakness.

A technically successful restore does not necessarily mean the business can operate safely.

What Backup Teams Should Be Doing Now

1. Review Data Residency and Jurisdiction

Understand:

  • where backups physically reside,
  • who operates the platform,
  • what legal jurisdictions apply,
  • and how encryption keys are controlled.

2. Assess Third-Party Dependency Risk

Backup providers are now part of the operational resilience chain.

Evaluate:

  • concentration risk,
  • provider resilience,
  • support models,
  • and recovery guarantees.

3. Treat Backup Infrastructure as Critical Security Infrastructure

Protect backup systems with:

  • MFA,
  • privileged access isolation,
  • network segmentation,
  • immutable storage,
  • and continuous monitoring.

4. Test Recovery Realistically

Move beyond simple restore tests.

Validate:

  • identity recovery,
  • application dependencies,
  • operational workflows,
  • and ransomware response scenarios.

5. Align Backup Strategy With Governance Teams

Backup architecture decisions now intersect with:

  • compliance,
  • legal,
  • procurement,
  • risk management,
  • and executive governance.

Backup teams should be involved earlier in resilience and sovereignty discussions.

The New Reality: Backup Is Now Strategic Infrastructure

NIS2 and DORA are accelerating a broader shift already underway across Europe.

Backup is no longer just an IT operations function.

It is now directly connected to:

  • cyber resilience,
  • regulatory compliance,
  • operational continuity,
  • and organisational trust.

The organisations that adapt fastest will not simply store backups more securely.

They will build recovery strategies that are:

  • operationally tested,
  • jurisdictionally understood,
  • resilient under pressure,
  • and aligned with modern regulatory expectations.

Because in the era of operational resilience, sovereignty is not just about where data lives.

It’s about whether the organisation can still function when everything around that data goes wrong.

More posts