Ransomware: NIS2 regulation and the road to recovery — Part 1

May 18th, 2026
Kaseya
Cybersecurity

A two-part practical guide for EMEA IT leaders

In today’s interconnected world, one company’s outage can affect the delivery of a country’s vital services and even impact the wider economy, as was evidenced by the cyberattack on Jaguar Land Rover, which negatively impacted the UK’s GDP.

At the heart of NIS2 is a desire for business continuity. It encourages companies to properly document their processes, plan for eventualities and identify weaknesses in their supply chains.

Importantly, NIS2 makes cybersecurity and resilience a board room responsibility, with potential penalties for business leaders. In other words, leaving security solely to IT is no longer enough.

With that in mind, strengthening your ability to respond to security incidents — and, importantly, recover from them — must form a core part of every business’s security approach.

In the first part of this guide, we’ll take a look at your internal readiness. Then, in part two, we’ll discuss how to deal with the various regulatory reporting requirements in the event of an incident. 

“Ransomware is the single biggest threat to organisations online”

Those are not our words. The statement comes from the Centre for Cybersecurity in Belgium, which reported that ransomware attacks more than doubled between 2021 and 2024.

Ransomware remains one of the most disruptive forms of cyberattack, disabling your systems and disrupting your business unless a ransom is paid. Even if your company were to pay, recovery is not guaranteed. Not all attacks are necessarily destructive, however. A data breach, for example, may not impact your ability to carry on business as usual, but the reputational damage and potential financial penalties can have significant long-term consequences.

The reality is that no matter how much you secure your business, some level of risk always remains — and that risk exists 24/7/365, even when your team is offline.

Get your recovery plan in place — and make sure it works

In our Mastering modern recovery: New essentials for IT managers, we cover the three fundamentals of disaster recovery planning: 

  • Assess risks and identify critical systems. A thorough risk assessment helps identify the most critical systems that need immediate attention during a disaster scenario and helps prioritise them according to their importance to business operations.
  • Create a step-by-step recovery plan. Develop recovery procedures for different disaster scenarios, including cyberattacks, natural disasters or hardware failures. Each scenario should have a clear, step-by-step plan for recovery with clear responsibilities.
  • Test and maintain the plan.  A recovery plan is only as good as its execution. Regular testing, updates and audits are critical to ensuring long-term viability and adapting to evolving threats, technologies and infrastructure changes.

The good news is that anyone following this approach is already well placed to meet some NIS2 requirements, such as risk analysis and information security, incident handling and business continuity measures.

If you’re struggling to get senior leaders’ buy-in, aligning your IT goals with NIS2 objectives is a good way to underline the importance of proper disaster recovery planning.

Backups form an essential part of NIS2 compliance

The widely accepted approach to backup strategy has traditionally followed the 3-2-1 rule:

  • 3 copies of data (to protect against data loss)
  • 2 different formats (stored on at least two media types)
  • 1 off-site copy (to protect against physical disasters)

However, it’s now recommended to add two more measures for true backup efficacy: 

  • 1 immutable copy (ensuring ransomware-proof backups)
  • 0 doubt you can recover (regular testing guarantees reliability)

The importance of immutable backups was made abundantly clear in April 2026 when an AI agent not only deleted a company’s entire customer database, but recent backups as well, impacting customers for days and making international headline news.

This shows how getting it right is of paramount importance: a matter of business continuity, regulatory compliance — and keeping your company out of the headlines.

Ensuring confidence in recovery

NIS2 emphasises the need for policies that assess operational effectiveness. Just having backups is not enough. You need to be confident in your ability to restore systems and get your business back online quickly.

While you should be running disaster recovery tests on a regular basis, this can be augmented by tools that offer automated testing of backups.

When monitored and reported alongside metrics such as RPO and RTO, these capabilities provide greater confidence in your backup posture and also demonstrate the required level of reporting.

Don’t back up bad data

The possibility of ransomware creeping into your backups is a cause for concern. It’s also important to understand the health of the data that you are backing up.

As part of your backup automation, you can use machine learning to identify behaviour symptomatic of a ransomware infection. By continually running and analysing every backup, it can look out for infected backups and stop the issue before it becomes a problem.

Make sure your backups are region-appropriate

Your data is not universally accessible. Different regions have different sovereignty laws, so it’s important to understand where backups are stored and whether they can be restored legally from that territory. Regulations such as GDPR continue to apply during recovery operations, so it’s important to understand that the tools you use and the location of your data remain compliant.

Meeting your regulatory requirements

Kaseya offers businesses peace of mind, ensuring that their valuable data is safe, compliant, and most importantly, recoverable. Read our guide to mastering modern recovery to learn more about building a resilient recovery strategy.

But recovery planning is only part of the equation. During a security incident, organisations must also manage their legal and regulatory reporting obligations. In part two, we’ll delve into NIS2 and GDPR and the various reporting requirements in EMEA.

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

One platform. Everything IT.

Kaseya 365 customers experience the benefits of the best IT Management and Security tools in a single solution.

Explore Kaseya 365

Your success is our #1 priority

Partner First is a commitment to flexible terms, shared risk and dedicated support for your business.

Explore Partner First Pledge

2026 Kaseya State of the MSP Report

Kaseya - 2026 State of the MSP Report - Web Graphic - 1200x800-UPDATED

Get 2026 MSP insights from 1,000 plus providers and learn how to grow revenue, adapt to market pressure, and stay competitive.

Download Now

Explore Categories

EDR vs SIEM: Two Tools, One Security Strategy

EDR monitors endpoints in depth while SIEM correlates threats across your entire environment. Learn key differences and why strong IT security needs both.

Read blog post

SIEM Integration: Types, Benefits and Best Practices

SIEM integration connects your security tools to a central system for unified threat detection. Learn how it works and best practices for getting it right.

Read blog post

Cloud SIEM: A guide to features, advantages and deployment models

The way organizations manage security has changed permanently. Infrastructure that used to sit behind a firewall now spans cloud platforms,

Read blog post