Your company manages its own backups. You have a NAS, maybe a local PBS, and everything works… until the day a ransomware encrypts everything, including backups accessible from your network. Or until a GDPR audit reveals that your backups don't meet Article 32 requirements.
Backup as a Service (BaaS) addresses these problems by entrusting your backups to a separate operator, specialized, with infrastructure physically and logically separated from yours. It's not just cloud storage: it's a separation of responsibilities that fundamentally changes your security posture.
The key principle of BaaS: whoever manages production should not be the one managing backups. Two separate operators, two separate infrastructures, two separate sets of credentials.
1. Operator Separation: The Foundation of BaaS
The traditional model — a single IT team managing both production and backups — creates a single point of failure. If an attacker compromises your team's admin accounts, they access everything: hypervisors, local storage, and backups.
Traditional Model (Risky)
- •Same team manages prod + backup
- •Shared credentials or common AD
- •Backups accessible from prod network
- •Ransomware = prod + backups encrypted
BaaS Model (Secure)
- •Separate, specialized backup operator
- •Completely independent credentials
- •Physically separate infrastructure
- •Ransomware = prod hit, backups intact
This separation is not just a best practice: it's an increasing regulatory requirement. ANSSI (French cybersecurity agency) explicitly recommends separating roles between production administrators and backup administrators. The NIS2 directive mandates it for essential and important entities.
For a detailed look at how this separation works at the technical level (accounts, permissions, PBS roles), see our dedicated article: Backup as a Service Proxmox: Why a Backup Account (Not Admin) Changes Everything.
2. GDPR: BaaS as the Answer to Article 32
GDPR Article 32 requires data controllers to implement technical and organizational measures ensuring a level of security appropriate to the risk. Among the explicit requirements:
Rapid Restoration Capability
BaaS guarantees a contractually defined RTO. At NimbusBackup: RTO < 4h on disk plans.
Data Encryption
PBS encrypts client-side with AES-256. The BaaS provider never has access to your data in clear text.
Hosting in France / EU
A BaaS hosted in France eliminates Cloud Act exposure risk and ensures data sovereignty.
Operation Traceability
Access logs, backup history, failure alerts: BaaS provides the traceability needed for audits.
Key GDPR point: the BaaS provider acts as a data processor under Article 28. A data processing agreement precisely defines responsibilities, security measures and data return/deletion conditions.
3. NIS2 and ANSSI: Mandatory Privilege Separation
The NIS2 directive (transposed into French law in 2025) significantly strengthens cybersecurity requirements. Article 21 mandates:
NIS2 Requirements Covered by BaaS
Access Management and Privilege Segregation
BaaS enforces backup-only accounts with no admin access. No shared credentials between production and backup.
Business Continuity and Crisis Management
The BaaS provider delivers a documented DRP with contractual RTO/RPO and periodic restoration tests.
Supply Chain Security
NIS2 requires managing supplier-related risks. A French BaaS provider with sovereign infrastructure reduces this attack surface.
ANSSI also recommends in its best practice guides that backups be managed by an operator separate from the production administrator, with completely independent credentials and access. BaaS natively meets this recommendation.
4. Concrete Benefits of BaaS for Your Business
Ransomware Protection by Design
A ransomware that compromises your AD, hypervisors and NAS cannot reach a BaaS infrastructure managed by a third party. It's an architectural barrier, not just a software one.
24/7 Monitoring by Specialists
How often have you discovered that a backup job had been failing for weeks? A BaaS provider monitors continuously and alerts immediately on failures, volume drift or anomalies.
Restoration Assistance
In case of disaster, you're not alone. The BaaS provider assists you through restoration: identifying the restore point, data transfer, integrity verification.
Qualified and Maintained Infrastructure
The provider handles PBS updates, hardware replacement, capacity management and infrastructure security. You don't need to hire a dedicated backup specialist.
Documented Compliance for Audits
GDPR data processing agreement, formalized DRP, access logs, backup reports: BaaS provides the documentation needed to satisfy auditors and regulators.
5. The 3-2-1 Rule: BaaS Is Your "1 Offsite"
The 3-2-1 rule is the minimum data protection standard: 3 copies of your data, on 2 different media, with 1 offsite. Simple in theory, often incomplete in practice.
copies
Production + Local PBS + BaaS
media
SSD/HDD prod + Meca/LTO remote
offsite
= your BaaS
BaaS is precisely the "1 offsite" of the 3-2-1 rule. Without it, your backup strategy relies entirely on your primary site — a single disaster (fire, flood, ransomware) and everything is gone.
To go further with the 3-2-1-1-0 extensions (air-gap + zero restore errors), see our complete air-gapped and 3-2-1-1-0 rule guide.
6. Ransomware Cost vs BaaS Cost
BaaS costs a few hundred euros per month. A ransomware costs an SMB an average of €250,000 (source: ANSSI, cyber threat landscape 2024). Not counting business downtime, customer trust loss, and potential GDPR fines.
Ransomware Cost (SMB)
- • Ransom demanded: €50,000 to €500,000
- • Business downtime: 3 to 21 days
- • Revenue loss: €10,000 to €50,000/day
- • IT rebuild: €30,000 to €150,000
- • Potential GDPR fine: up to 4% of revenue
- • Customer trust loss: priceless
Average total: €250,000+
BaaS Cost (NimbusBackup)
- • 1 TB offsite: €12/month
- • 5 TB offsite: €60/month
- • 10 TB offsite: €120/month
- • 24/7 monitoring: included
- • Support + restoration: included
- • GDPR/NIS2 compliance: included
That's ~€720/year for 5 TB
The math is simple: annual BaaS cost represents less than 0.3% of the average ransomware cost. It's insurance, not an expense.
7. Checklist: Is Your Current Backup Compliant?
Check whether your current backup setup meets regulatory requirements and best practices:
Are your backups managed by an operator separate from production?
Are backup credentials completely independent from production / AD credentials?
Are your backups hosted in France or the EU?
Is encryption applied client-side (before transmission)?
Do you have a contractual and tested RTO/RPO?
Can a ransomware on your network reach your backups?
Do you have a GDPR data processing agreement for your backups?
Are your backup jobs monitored 24/7 with failure alerts?
If you checked fewer than 6 boxes, a BaaS model would fill the identified gaps.
8. NimbusBackup: BaaS Designed for Compliance
At NimbusBackup, the BaaS model isn't a marketing argument: it's the foundation of our security architecture.
Infrastructure
- • Equinix Paris Datacenter (France)
- • RDEM Systems private network (AS206014)
- • Dedicated PBS per client, no multi-tenant
- • Air-gapped and bank vault options
Compliance
- • AES-256 client-side encryption
- • Backup-only accounts (zero admin)
- • GDPR data processing agreement included
- • NIS2, ANSSI, cyber-insurance compatible
Switch to Backup as a Service
From 12 EUR/TB/month, monitoring and support included. Operational in 15 minutes.