The NIS2 directive (Network and Information Security 2) came into force on October 17, 2024, with mandatory transposition into national law before January 2025. This new European regulation significantly strengthens cybersecurity requirements, and backups hold a central place in the required technical measures.

What is the NIS2 directive?

NIS2 replaces the 2016 NIS directive and significantly broadens its scope. While NIS covered approximately 10,000 entities in Europe, NIS2 applies to more than 160,000 organizations, including about 15,000 in France.

NIS2 aims to ensure a high level of cybersecurity across the European Union, with penalties up to 10 million euros or 2% of global turnover.

Affected sectors:

Essential entities (EE)

- Energy (electricity, gas, oil)
- Transport (air, rail, maritime, road)
- Healthcare (hospitals, laboratories)
- Drinking water and wastewater
- Digital infrastructure
- Public administration
- Space

Important entities (IE)

- Postal services
- Waste management
- Manufacturing (chemicals, medical, electronics)
- Food
- Digital providers
- Research
- Critical B2B services

Classification criteria are based on size (more than 50 employees or 10 million euros in turnover) and sector of activity. Certain entities are designated as essential regardless of their size (critical infrastructure).

Backup obligations under NIS2

Article 21 of the NIS2 directive defines the "cybersecurity risk management measures" that entities must implement. Backups are explicitly mentioned as an essential component.

Article 21 - Key excerpts:

"The measures referred to in paragraph 1 shall be based on an all-hazards approach [...] and shall include at least the following: [...] (c) business continuity, such as backup management and disaster recovery, and crisis management."

Source: Directive (EU) 2022/2555 - Article 21

Implicit backup requirements:

Resilience and availability

Backups must allow restoring essential services within "appropriate" timeframes in the event of an incident. This implies regular restore tests and documented RTO/RPO.

Protection against cyberattacks

Backups themselves must be protected against ransomware and other threats. This requires isolation (air-gap) or immutability of backed-up data.

Encryption and confidentiality

Article 21(2)(h) explicitly mentions "encryption and, where appropriate, pseudonymisation" as a security measure. Backups must therefore be encrypted.

Secure supply chain

Article 21(2)(d) requires an assessment of supply chain security. Your backup providers must themselves present adequate guarantees.

Backup compliance: practical checklist

To meet NIS2 requirements, your backup strategy must integrate the following elements:

NIS2 Compliance Checklist - Backups

Documented backup policy - RTO, RPO, frequency, retention defined and validated3-2-1-1-0 rule - 3 copies, 2 media, 1 offsite, 1 air-gap/immutable, 0 errorsEnd-to-end encryption - AES-256 minimum, keys managed securelyAir-gapped or immutable protection - At least one copy inaccessible to attackersRegular restore tests - Documented with recovery time measurementsEU data location - Hosting within the European Union, ideally sovereignProvider audit - Verification of backup provider security guaranteesBusiness continuity plan - Recovery procedures incorporating backups

Warning: NIS2 provides for controls and audits. Entities must be able to demonstrate their compliance with documented evidence: test reports, access logs, contracts with subcontractors, etc.

How NimbusBackup meets NIS2 requirements

Our Proxmox backup plans have been designed to meet the strictest requirements, including those of NIS2 for essential and important entities.

100% French hosting

Equinix datacenters in the Paris region, own infrastructure (AS206014). Data sovereignty guaranteed.

Native geo-redundancy

Automatic replication across 2 separate sites with our Double Drive PBS and higher plans (from 22 EUR/TB).

Air-gapped protection

AirGapped Drive PBS (disk rotation) and Bank PBS (bank vault) plans for complete physical isolation.

Long-term archiving

Magnetic PBS plans with LTO tape archiving: 30+ year durability, cyberattack resistance.

AES-256 encryption

Client-side encryption before transmission. You alone hold the keys, we never have access to your data in clear text.

Support and documentation

French technical team, complete documentation, and assistance for your compliance audits.

Our PBS range for NIS2:

Single Drive PBS (12 EUR/TB) - Basic encrypted backup
Double Drive PBS (22 EUR/TB) - Geo-redundancy across 2 sites
AirGapped Drive PBS (34 EUR/TB) - Ransomware protection through isolation
Drive Bank PBS (69 EUR/TB) - Bank vault
Magnetic PBS (89 EUR/TB) - HDD + automatic LTO tape archiving
Magnetic Bank PBS (149 EUR/TB) - LTO in bank vault, maximum compliance

Assess my NIS2 compliance View all our PBS plans

Conclusion: act now

The NIS2 directive is not a simple administrative formality. With penalties up to 2% of global turnover and personal liability for executives, compliance is a strategic issue for every affected organization.

Backups are a central pillar of this compliance. A robust backup strategy integrating air-gap, encryption and regular testing protects you not only against regulatory penalties, but above all against the operational consequences of a cyberattack. Check our offsite backup pricing guide and discover our legal on-call obligations and our certified Proxmox managed services.

Don't wait for an incident or an audit to act. Achieving NIS2 compliance for your backups is an investment in your organization's resilience.

Sources and references

Protect your Proxmox VMs with NimbusBackup

Offsite, immutable and sovereign backup. Starting at 12 EUR/TB/month.

NIS2, PCI-DSS, ISO 27001 Compliance Drive Bank PBS Plan (NIS2 compliance) →

NIS2 and Backups: Obligations and Best Practices for 2025 Compliance