English

Dutch

navlogo_blue

English

Dutch

NIS2 enforcement active in NL & BE — 2026

NIS2 and Backup:
What Article 21 Requires

NIS2 places specific, enforceable obligations on how organisations protect and recover their data. This page explains what the directive requires for backup, disaster recovery and business continuity — and how EU-hosted managed services can support your compliance journey.

Contact Us
Book a free assessment
⚠️

NIS2 Penalty Exposure

Per incident, per entity

Essential entities — max fine €10,000,000
or % of global annual turnover 2%
Important entities — max fine €7,000,000
Management personal liability Yes
NL transposition (Cbw) In force
BE enforcement opened April 2026
Whichever amount is higher applies. Management may be held personally liable for failure to implement required measures.
18 sectors covered
160,000+ EU organisations affected
Article 21 mandates backup management
Management personally liable
Tested recovery required — not just backup
Background

What is NIS2?

The Network and Information Security Directive 2 (Directive EU 2022/2555) is the EU's primary cybersecurity legislation for critical and important organisations. It replaces the original NIS Directive and significantly expands both the scope of who must comply and the specific technical measures required.

"Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services."

— Article 21(1), Directive EU 2022/2555 (NIS2)

In the Netherlands, NIS2 has been transposed into national law as the Cyberbeveiligingswet (Cbw). In Belgium, the enforcement window opened in April 2026 under the CCB's CyberFundamentals Framework. Both jurisdictions actively enforce the directive's requirements.

Who is covered?

Essential
Largest organisations, highest risk sectors Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (MSPs), public administration, space
Important
Mid-size organisations in extended sectors Postal services, waste management, chemicals, food, manufacturing, digital providers (marketplaces, search engines, social platforms), research
Size thresholds
Generally applies to organisations with 50+ employees or €10M+ turnover — smaller organisations in critical sectors may also be included at member state discretion.
The Directive

Article 21 — The Three Pillars of Business Continuity

Article 21(2)(c) is the core provision governing backup, disaster recovery and crisis management. The text is deliberately short — the technical detail is provided in the Commission Implementing Regulation (CIR) 2024/2690, which binds organisations in specific sectors including MSPs.

"business continuity, such as backup management and disaster recovery, and crisis management"

— Article 21(2)(c), Directive EU 2022/2555 (NIS2) — verbatim text
1

Backup Management

Documented backup procedures covering all data sources — including cloud-stored data such as Microsoft 365. Geographically separated, access-controlled, with defined retention periods and a verified restore process.

2

Disaster Recovery

A documented disaster recovery plan defining RTO and RPO per critical process, with tested recovery procedures and a sequenced system restoration order validated through regular exercises.

3

Crisis Management

A crisis management framework with pre-assigned roles, escalation criteria, communication protocols, and pre-authorised decision rights — including the 24-hour NIS2 incident notification obligation under Article 23.

CIR 2024/2690 Annex 4 — Technical Requirements

Annex 4.1

Business Continuity Plan

  • Business Impact Analysis (BIA) with RTO, RPO & MTPD per critical process
  • Mandatory BC plan with 8 categories of content
  • Named roles, escalation paths, and out-of-band comms
  • Activation and deactivation criteria defined
  • Recovery sequencing per system
  • Management sign-off required
Annex 4.2

Backup & Redundancy

  • Complete backup copies maintained with sufficient redundancy
  • Recovery timeframes aligned to BIA-defined RPOs
  • Geographically distant storage separate from primary site
  • Cloud-stored data explicitly in scope (M365, CRM etc.)
  • Access controls matching asset classification
  • Retention periods documented with rationale
Annex 4.3

Recovery Testing

  • Regular restore tests to an isolated environment
  • Results documented with issues and corrective actions
  • Management sign-off on test outputs
  • Tests triggered after significant incidents or major changes
  • Lessons learned incorporated into updated procedures
  • Continuous improvement cycle mandatory
Article 21 Specifics

What NIS2 Requires for Your Backup

CIR Annex 4.2 translates the directive's backup management obligation into six specific technical requirements. Each is enforceable and auditable.

🗂️

Complete & Documented Backup Coverage

All data sources must be included — on-premises servers, databases, endpoints, and cloud-stored data. Microsoft 365 email, SharePoint, OneDrive, and CRM platforms are explicitly within scope. An undocumented backup is not an auditable backup.

CIR Annex 4.2.1 & 4.2.2
🌍

Geographic Separation

Backup copies must be stored in a location geographically distant from the primary site. Backups stored on the same premises — or even the same cloud region — as production data do not satisfy this requirement.

CIR Annex 4.2.2
🔒

Immutable or Offline Copy

Ransomware resilience requires at least one backup copy that cannot be modified or deleted — either through physical air-gapping or software-enforced immutability (Object Lock). A backup that an attacker can reach and encrypt is not a recovery option.

CIR Annex 4.2.2 (redundancy integrity)
🔑

Access Controls & Encryption

Access to backup infrastructure must be controlled and logged, with permissions matching asset classification levels. Backup data must be encrypted at rest and in transit. MFA for administrative access to backup systems is standard supervisory expectation.

CIR Annex 4.2.2
⏱️

Defined RTO & RPO

Your Business Impact Analysis must define Recovery Time Objectives (how long you can be down) and Recovery Point Objectives (how much data you can afford to lose) for each critical process. Backup frequency must align to these documented RPOs.

CIR Annex 4.1.3 & 4.2.2

Tested & Documented Restores

Backups must be tested. CIR Annex 4.3 requires regular restore verification to an isolated environment, with documented results including issues found, corrective actions taken, and management sign-off. Assumed backups are not compliant backups.

CIR Annex 4.3
Practical Implementation

The 3-2-1-1-0 Rule and NIS2

The 3-2-1-1-0 backup framework is widely recognised as the practical implementation standard that addresses the core CIR Annex 4.2 requirements. Following this framework does not automatically mean NIS2 compliance — but it addresses the primary technical backup obligations.

3

Copies of Data

Primary data plus two independent backup copies

CIR 4.2.1
2

Different Media Types

e.g. disk + cloud, or disk + tape — resilience against single-media failure

Resilience
1

Copy Offsite

Geographically separated from primary infrastructure

CIR 4.2.2
1

Copy Immutable or Offline

Air-gapped or write-once storage that ransomware cannot reach or encrypt

Ransomware resilience
0

Errors — Verified

Confirmed through documented restore tests, not assumed

CIR 4.3
Audit Risk

Five Gaps That Fail NIS2 Inspections

Supervisory authorities consistently identify the same five technical gaps during NIS2 inspections. These are not theoretical risks — they are the most common reasons organisations are found non-compliant with Article 21(2)(c).

⚠️

No configuration backups

Operating system and application configurations are excluded from backup scope. After a failure, system rebuild takes weeks rather than hours — far outside any reasonable RTO.

Include OS/app configs and golden images in backup scope
⚠️

Backups on the same network

Backup storage is on the same network segment or site as production. Ransomware encrypts both simultaneously. Geographic separation plus an offline copy are both mandatory under CIR 4.2.2.

Geographically separated storage + at least one offline/immutable copy
⚠️

Restore procedures never tested

Backups are running but restore procedures have never been tested against a target RTO in an isolated environment. CIR Annex 4.3 requires documented testing with results and corrective actions.

Quarterly restore tests with documented results and management sign-off
⚠️

SaaS data not included

Microsoft 365, CRM, and cloud platform data is excluded from backup scope. CIR 4.2.2 explicitly covers cloud-stored data. Vendor retention tools are not an independent backup.

Independent third-party backup covering all SaaS platforms
⚠️

Retention period undocumented

Backup retention periods are not documented with a written rationale. Auditors look for the reasoning behind the chosen retention period, not just the number itself.

Document retention policy with legal, regulatory and operational rationale
⚠️

No documented Business Continuity Plan

Many organisations have elements of a disaster recovery plan (backup systems, restore procedures) but no formal BC plan covering roles, escalation, communication, and recovery sequencing as required by CIR Annex 4.1.

Formal BC plan with BIA, RTO/RPO per process, and tested activation procedures
Mindtime Services

How Mindtime Services Support Your NIS2 Journey

ℹ️

Please note: The information below describes technical capabilities of Mindtime's services that are relevant to NIS2 Article 21 requirements. Using these services does not in itself constitute NIS2 compliance. Compliance is the responsibility of your organisation and depends on your overall security programme, documentation, governance, and processes. We recommend consulting a qualified legal or compliance professional to assess your specific obligations and status.

🏛️

EU-Only Data Residency

Relevant to: CIR 4.2.2 geographic separation, GDPR data residency obligations, and sovereignty requirements for entities subject to Dutch and Belgian law.

  • Data stored exclusively in NL & DE Tier III datacentres
  • No data transferred outside the European Economic Area
  • Subject solely to EU law — no exposure to US CLOUD Act
  • ISO 27001 certified infrastructure
  • Data Processing Agreement (DPA) available
🔐

Immutable Backup Storage

Relevant to: CIR 4.2.2 ransomware resilience, the offline/immutable copy requirement of the 3-2-1-1-0 framework, and audit evidence for backup integrity.

  • Object Lock (WORM) storage — backup data cannot be deleted or modified
  • Protection holds even if admin credentials are compromised
  • Separate storage network isolated from production
  • Continuous malware scanning of backup data
  • MFA-enforced administrative access
📋

Documented Recovery & Reporting

Relevant to: CIR 4.3 tested recovery, CIR 4.1.4 documented test results, and audit evidence requirements for supervisory inspections.

  • Regular restore tests with written results reports
  • RPO and RTO documented per protected workload
  • Audit-ready backup status and compliance reports
  • Change notifications and version history logs
  • 24/7 monitoring with alerting on backup failures
☁️

Microsoft 365 & SaaS Backup

Relevant to: CIR 4.2.2 requirement that backup procedures explicitly cover cloud-stored data — including Microsoft 365, Google Workspace, and other SaaS platforms.

  • Exchange, SharePoint, OneDrive, Teams, Planner
  • Google Workspace (Gmail, Drive, Calendar, Contacts)
  • Independent of Microsoft's native retention tools
  • Point-in-time restore at item level
  • Configurable retention periods with documented policy
🖥️

Workload Coverage

Relevant to: CIR 4.2.1 complete backup copies of all data, covering both on-premises and cloud-hosted workloads within scope of NIS2.

  • VMware & Hyper-V hypervisors
  • Physical servers (Windows & Linux)
  • Azure, AWS & Google Cloud instances
  • SQL, Oracle & application-consistent backups
  • Endpoints (Windows, macOS, Linux laptops)
🤝

MSP as Regulated Entity

As an ICT managed service provider, Mindtime is itself subject to NIS2 Article 21 obligations. Our own security controls, certifications and documentation are available for your due diligence and supply chain risk assessments.

  • ISO 27001 annual independent audits
  • SOC 2 Type II aligned controls
  • Subprocessor documentation available
  • Incident notification procedures aligned to Article 23
  • Supplier security questionnaires on request
Important: Mindtime's backup services address the technical data protection layer of Article 21(2)(c). Full NIS2 compliance also requires governance, risk management, supply chain controls, incident reporting procedures, and a formally documented and tested Business Continuity Plan. We recommend working with a qualified compliance consultant or legal advisor to assess your complete obligations under NIS2 as transposed in your jurisdiction.

Frequently Asked Questions

Common questions about NIS2, Article 21, and what backup requirements mean in practice.

NIS2 Article 21(2)(c) requires essential and important entities to implement measures covering business continuity, backup management, disaster recovery, and crisis management. The Commission Implementing Regulation (CIR 2024/2690) Annex 4 specifies this in detail: complete backup copies must be maintained, backups must be stored in geographically distant secure locations separate from primary sites, cloud-stored data (including Microsoft 365) must be included in backup scope, and restore procedures must be tested regularly with documented results.
In the Netherlands, NIS2 has been transposed into national law as the Cyberbeveiligingswet (Cbw). In Belgium, the enforcement window opened in April 2026. Organisations in 18 sectors — including digital infrastructure, energy, health, financial services, transport, and managed IT service providers — are subject to the directive. Entities are classified as 'essential' (largest, highest risk) or 'important' (smaller, lower risk), with different supervisory approaches but the same technical obligations under Article 21. Generally applies to organisations with 50+ employees or €10M+ turnover.
Essential entities face fines of up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face fines of up to €7 million or 1.4% of global annual turnover. Beyond financial penalties, NIS2 introduces personal liability for management — senior executives can be held personally accountable if an organisation fails to implement required cybersecurity measures. Fines are applied per incident and may be cumulative.
Yes. CIR Annex 4.2.2 explicitly requires backup procedures to cover "cloud-stored data." Microsoft 365 email, SharePoint, OneDrive, and Teams data is not automatically backed up to your own specifications by Microsoft. Microsoft's built-in retention tools are retention policies, not independent backups — they do not protect against accidental deletion, malicious action, or service-side data loss in the same way an independent backup does. NIS2 compliance requires independent backup of your SaaS estate with documented recovery timeframes and tested restore procedures.
The 3-2-1-1-0 rule is the practical implementation framework that maps directly to CIR Annex 4.2 requirements: 3 copies of data, on 2 different media types, with 1 copy offsite, 1 copy offline or immutable, and 0 errors verified through documented restore testing. Following this framework addresses the core technical backup requirements under NIS2 — however, full Article 21 compliance also requires a documented Business Continuity Plan, Business Impact Analysis, crisis management procedures, and regular tested exercises. The 3-2-1-1-0 rule is a necessary but not sufficient condition for NIS2 compliance.
GDPR focuses on the protection and lawful processing of personal data, including data minimisation and the right to erasure. NIS2 focuses on the resilience and security of network and information systems — including backup, disaster recovery, and business continuity. The two frameworks overlap: NIS2 backup requirements (geographic separation, access controls, encryption) are broadly consistent with GDPR security obligations under Article 32. However, NIS2 adds specific requirements for tested recovery procedures and documented RTO/RPO targets that go beyond GDPR's more general security standard. Organisations subject to both must satisfy both sets of requirements.
Yes. NIS2 explicitly names ICT managed service providers as essential entities under Annex I. MSPs must implement Article 21 technical measures for their own infrastructure and operations — they cannot simply be conduits for client compliance. Clients who are themselves essential or important entities are responsible for their own NIS2 compliance but may rely on documented controls and certifications from their MSP as part of their supply chain due diligence. MSPs should maintain documentation of their own compliance posture for client audit purposes.
CIR Annex 4.1.4 requires testing "at planned intervals and following significant incidents or significant changes." Most implementations use annual full-scale testing, quarterly functional backup restore tests to an isolated environment, and semi-annual tabletop exercises. Every test must produce documented output — date, participants, scenario, issues identified with severity ratings, corrective actions with owners and deadlines, and management sign-off. These records are the primary audit evidence for CIR Annex 4.1.4 compliance during a supervisory inspection.

⚠️ Legal Disclaimer

The information on this page is provided for general informational and educational purposes only. It does not constitute legal, regulatory, or compliance advice. NIS2 obligations vary depending on your sector, size, member state transposition, and the specific nature of your services. The Commission Implementing Regulation (CIR) 2024/2690 applies directly to certain categories of entities; other organisations are subject to their member state's transposition of Directive EU 2022/2555. Mindtime Data Security does not represent that use of its services will cause your organisation to be compliant with NIS2 or any other regulation. You should seek independent legal and compliance advice to determine your specific obligations and how to address them. References to regulatory text are provided for convenience only and should be verified against the official EUR-Lex publications of Directive EU 2022/2555 and Commission Implementing Regulation EU 2024/2690.

Questions about your backup and NIS2?

Our technical team can walk through your current environment and explain how our EU-hosted backup services relate to your NIS2 obligations — with no commitment required.

Book a free assessment
Explore BaaS
Scroll to Top