For organizations considered essential or important, compliance will no longer be limited to having documented cybersecurity policies; but to being able to demonstrate that they have a real capacity to withstand, respond to and recover from an incident.
The European Union's NIS2 Directive is entering a phase of stricter enforcement, as responsibility shifts from the European Commission to national supervisory authorities. Following delays in transposing the directive into national law, organizations classified as critical or essential entities are expected to go beyond simply documenting their cybersecurity policies and demonstrate their ability to prevent, manage, and recover from cybersecurity incidents. In May 2025, the European Commission intensified the pressure by issuing reasoned opinions to 19 Member States that had not yet fully implemented NIS2, bringing them closer to potential legal action before the Court of Justice of the European Union.
As national regulations continue to evolve, organizations can expect increased oversight through registration requirements, audits, compliance assessments, and potential penalties. One of the key implications of NIS2 is that cyber resilience and recovery capabilities become core compliance obligations. The directive mandates comprehensive risk management measures, including business continuity plans, backups, disaster recovery, crisis management, supply chain security, access controls, encryption, and incident reporting. Organizations must be able to demonstrate their ability to restore critical systems and maintain operations even during large-scale cyberattacks.
The threat of ransomware
This requirement comes at a time when ransomware remains one of the biggest threats to business continuity. According to Veeam’s 2025 Ransomware Trends Report, 69% of surveyed organizations experienced at least one ransomware attack. This figure confirms that strengthening defenses does not eliminate the need for a robust recovery strategy.
Attackers are increasingly targeting backup environments specifically to prevent data restoration and increase the pressure on victims. If backups can be modified, deleted, or encrypted, organizations are exposed not only to operational disruptions but also to regulatory non-compliance.
The Importance of Immutability
In this context, Object First emphasizes the importance of having backup storage with Absolute Immutability as an essential component of any resilience strategy. However, the company cautions that not all backup storage solutions marketed as immutable offer the same level of protection. One of the most significant differences is that, with Absolute Immutability, not even privileged administrators (or attackers who have gained access to the storage environment) can modify or delete backup data once it has been written.
For organizations affected by the directive, the priority in 2026 will be to move from merely formal preparation to demonstrating their actual response capabilities with concrete evidence. Having business continuity plans or backup policies will no longer be enough. Regulators, customers, and partners will increasingly demand evidence that organizations can restore their data, maintain their operations, and document their response during an incident.
Statements
Daniel Fried, SVP, Worldwide Sales at Object First
: "With NIS2, resilience and recovery capabilities are no longer just technical best practices but measurable compliance requirements. Organizations must demonstrate that their critical systems and data can be restored after a cyber incident, thus ensuring business continuity and operational stability. This places greater emphasis on the integrity of backups, as it will be necessary to demonstrate that recovery data cannot be modified, encrypted, or deleted by attackers during an incident."
