Blog
Why having Backups is no longer enough: What regulators now demand
For most of the last decade, having a backup was enough to satisfy an auditor. Tapes in a vault. A scheduled job that ran overnight. A green light on the dashboard. The question was whether you had backups.
The question now is whether you can prove you would actually recover.
That shift has happened quickly, and it has been driven by three things: the industrialisation of ransomware, tightening regulatory frameworks, and a cyber insurance market that has stopped taking backup claims on faith.
The threat has changed
Ransomware gangs now use automation and AI-driven tooling to move from initial compromise to full encryption in minutes rather than days. The time available to detect, contain, and respond has collapsed. Attackers have also learned that the most effective way to maximise leverage is to target backup infrastructure first. One in four energy firms reported a ransomware attempt specifically targeting their backup systems in 2025. The pattern is spreading across sectors.
When an organisation discovers it has been hit, the first question is always the same: are the backups intact and recoverable? If the answer is anything other than a confirmed yes, the recovery clock starts from zero.
The financial consequences are severe. Recovery costs covering forensics, rebuild, emergency consultancy, and lost revenue regularly exceed any ransom demand, even where no ransom is paid. In financial services alone, the average cost of a UK data breach reached £5.74 million in 2025. Paying an attacker guarantees nothing. Decryption is unreliable. Repeat targeting is common.
What regulators now expect
The regulatory landscape has moved in step with the threat. Several frameworks now place specific, evidenced obligations on organisations around backup, recovery, and resilience testing.
DORA, the EU’s Digital Operational Resilience Act, requires financial entities to maintain ICT business continuity, test backup and recovery plans at least annually, and operate segregated backup systems with documented restoration procedures. NIS2 extends similar expectations across a wider range of organisations in critical infrastructure sectors. The UK’s Cyber Security and Resilience Bill introduces comparable domestic requirements.
Across all of these frameworks, the question is consistent: can you prove that you can recover quickly and safely when the worst happens?
That proof cannot come from a backup job report. It comes from tested runbooks, documented recovery sequences, immutable copies held outside your primary infrastructure, and DR exercises that involve real systems and real people, not just a theoretical plan on a shared drive.
‘Having some backups is no longer enough. You must be able to show that you can recover quickly and safely, under pressure, from a worst-case scenario.’ The Executive Guide to Backup and Recovery, Covenco 2026
Where most backup strategies fall short
Most backup strategies were not designed. They evolved. Each new application, cloud platform, or data centre was added into backup with whatever tools and time were available. The result is a patchwork of technologies, schedules, and responsibilities that looks adequate until an incident makes the gaps visible.
The most common failures are not technical. They are structural.
Domain controllers and identity platforms are the most frequently forgotten gap. They are the control planes that tell everything else where to go. When they are missing from a recovery sequence, nothing comes back cleanly. In one Covenco engagement, a customer hit by ransomware had carefully backed up file servers, databases, and virtual machines, but not the domain controller. Recovery stalled entirely until an old physical server was found in a cupboard. Without that stroke of luck, the business faced rebuilding identity and access from scratch.
Microsoft 365 is another consistent blind spot. Many organisations assume that moving workloads into the cloud transfers resilience responsibility to the provider. It does not. Microsoft guarantees the availability of the platform. Customers remain responsible for their own data. Recycle bins and retention policies are not a backup strategy.
Runbooks stored on the systems they are meant to help recover appear repeatedly in real incidents. A recovery plan you cannot access during a crisis is not a recovery plan. It is a false sense of security.
What good looks like now
A defensible backup and recovery strategy in 2026 has several characteristics.
It covers on-premises, cloud, and SaaS workloads under a single coherent framework. It applies the 3-2-1-1-0 standard, maintaining at least one immutable or air-gapped copy that cannot be reached or deleted by a threat actor who has compromised the primary environment. It classifies workloads into recovery tiers with defined RPO and RTO objectives, so that domain controllers and identity platforms come back first, followed by business-critical systems in priority order.
It is tested regularly, with evidence that stands up to regulators, auditors, cyber insurers, and the board. And it distinguishes between conventional disaster recovery, which prioritises rapid failover, and cyber recovery, which prioritises containment, forensic validation, and a clean room rebuild before any recovered system is reconnected to the network.
The organisations that handle incidents well are not the ones with the most sophisticated tooling. They are the ones that rehearsed, documented, and tested their recovery before the worst happened.
Read the full guide
The Executive Guide to Backup and Recovery sets out what good looks like across ten UK industry sectors, from healthcare and banking to manufacturing and financial services. Thirty-two pages of practical insight, free to download.