Gapless monitoring
All backup status emails arrive in one place - across products, servers and customers.
Backup Evidence for NIS2: What Auditors Want to See
NIS2 makes backup management mandatory - and demands evidence. Here is how to prove gapless backup monitoring without building a single extra slide.
With NIS2, the EU extends cybersecurity obligations to tens of thousands of companies - from energy and healthcare to logistics and IT service providers. Those in scope must implement risk management measures and be able to demonstrate them to supervisors and auditors.
Backups are explicitly named: Article 21 of the directive lists backup management and disaster recovery as part of the required business continuity measures. Having backups is not enough - you must be able to show that they run, that they are monitored, and that failures get noticed.
What NIS2 actually requires for backups
Directive (EU) 2022/2555 obliges "essential" and "important" entities to implement state-of-the-art risk management measures. Four points matter for backups:
- Business continuity: backup management, disaster recovery and crisis management (Art. 21(2)(c))
- Effectiveness: policies and procedures to assess whether your measures actually work (Art. 21(2)(f))
- Supply chain: security of supplier relationships - your MSP or IT service provider becomes part of your customers' compliance (Art. 21(2)(d))
- Management accountability: management bodies must approve and oversee the measures and can be held liable (Art. 20)
National implementation laws (such as the German NIS2 implementation act or the Austrian NISG) define supervision and evidence requirements in detail.
What auditors want to see
Auditors and supervisory authorities rarely ask for slide decks. They want evidence that backup monitoring is actually lived:
- A current overview of all systems and backup jobs - including status
- Proof that failures are noticed: alerting on failed backups
- Proof that silent failures are noticed too - a job that stopped running entirely is the most dangerous one
- History: how did backups run over the past months? Were there gaps, and how were they handled?
- Documentation per customer or system - especially for IT service providers delivering evidence to affected customers
How BackupMonitor delivers the evidence
Missing-mail detection
If an expected status email does not arrive, it counts as an error. Backups that silently stop do not go unnoticed.
6 months of history
All status emails are retained for six months - your audit evidence that monitoring ran continuously.
Weekly reports
Regular email summaries document ongoing control - archive them for your compliance records.
Service desk alerts
Failures create tickets in your service desk - the documented response process auditors ask about.
Groups per customer
Organize devices by customer or site and deliver evidence per customer - ideal for MSPs.
See it on the dashboard
For MSPs: NIS2 affects your customers - and you
Many MSPs are affected twice: managed service providers are explicitly mentioned in the directive and can fall under NIS2 themselves - and affected customers must assess the security of their service providers under the supply chain requirements.
If you can hand your customers a backup monitoring report proactively, you answer their NIS2 questionnaires before they are sent - and turn a compliance duty into a sales argument.
The same pattern applies to cyber insurance
It is not only regulators asking: cyber insurers increasingly make backup monitoring and documented recoverability a condition for coverage and premiums. The questionnaires look similar - if your documentation works for NIS2, you already have the answers for your insurer.
FAQ
Does BackupMonitor make my company NIS2 compliant?
No - NIS2 compliance covers far more than backups. BackupMonitor covers one clearly defined building block: gapless monitoring and documentation of your backups. Which obligations apply to you is a question for your legal or compliance advisors.
How long does BackupMonitor retain the evidence?
Status emails are retained for six months. Weekly report emails can additionally be archived permanently, for example in your ticket system or document storage.
Is my company affected by NIS2 at all?
Roughly: companies with 50 or more employees or more than 10 million euros in turnover in one of the regulated sectors - plus smaller companies in critical areas. The national implementation laws are authoritative; when in doubt, get legal advice.
Does NIS2 apply to MSPs and IT service providers?
Managed service providers are explicitly mentioned in the directive and can be in scope themselves. Independently of that, affected customers will request evidence from their service providers under the supply chain requirements.
Try it free for 30 days
No credit card, nothing to install - the demo ends automatically.