When ransomware hits or a region goes dark, NIS2 compliance is judged on one thing: does the business come back? Regulators and incidents both test recovery, not your binder of policies. Real readiness means you can rebuild your cloud environment, not just restore data and point to documentation.

TL;DR

  • NIS2 compliance is judged on provable recovery, not policy documents. Regulators and incidents both test whether the business comes back.
  • NIS2 and DORA both make business continuity and incident handling obligations, so recovery readiness, not just data backup, is the real bar.
  • Data recovery alone is not business recovery. If your cloud configuration cannot be rebuilt to a known-good state, the environment stays down.
  • Incomplete Infrastructure as Code is a common cause of the recovery gap. The parts of your configuration you never captured are the parts you cannot restore.

NIS2 compliance demands cyber resilience, not just paperwork

NIS2 compliance rests on operational obligations, not document management. The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s broad EU cybersecurity directive. It entered into force in January 2023 and replaced the original 2016 NIS Directive from October 2024. As the EU cybersecurity directive, it pushes regulated operators past checklists. It mandates cybersecurity risk management, incident handling, and business continuity as live duties. Article 21(2)(c) names business continuity directly, including backup management and disaster recovery (the NIS2 Directive, Article 21). The famous ten measures matter, but continuity and recovery are where an incident actually grades you.

This NIS2 cybersecurity directive does not stand alone. DORA is its peer for the financial sector. DORA (Regulation (EU) 2022/2554) requires operational resilience and ICT risk management from banks, insurers, and investment firms. The NIS2-and-DORA pairing points the same way. Both treat recovery as an obligation, not a nice-to-have. Take a national energy utility inside NIS2 scope. It can hold every policy on file, yet still fail the moment its control systems cannot be restored after an attack.

These obligations land on the DevOps teams who own the cloud infrastructure. Meeting them is not a governance exercise. It means being able to rebuild the environment under pressure. A Cyber Resilience Platform picks up exactly where these rules point, at operational resilience and continuity. ControlMonkey works at that layer. It supports your NIS2 compliance effort and aligns with DORA recovery-readiness expectations, without claiming to make you compliant on its own.

The NIS2 Directive applies to a wide range of critical and essential sectors across the EU. Industries affected include health, banking, financial markets, and digital infrastructure. Public administration, transport, energy, and water services are also impacted. This includes drinking and wastewater services, food production, and postal and courier services. Manufacturing, ICT services, chemical processing, and digital providers are affected too. This broad scope means nearly every cloud-driven enterprise must address NIS2 readiness.

Why recoverable configuration underpins NIS2 compliance

The business comes back only when its operating environment comes back. When an incident strikes, restoring data is not enough. Your cloud configuration, the settings that route, secure, and run everything, has to be rebuilt too. Cloud configuration determines recoverability. Without it, the data has nowhere to live.

This is the work of cloud configuration disaster recovery. You recover the configuration that defines the environment, back to the last known-good state. Configuration recovery restores that known-good state against clear targets. Recovery Time Objective (RTO) is how fast you restore. Recovery Point Objective (RPO) is how much recent change you can afford to lose. Disaster recovery of the configuration layer is what moves both numbers in your favor.

The diagram shows why a data-only restore leaves the environment down, and where configuration recovery closes the loop.

This recoverability is the recovery readiness that NIS2 and DORA expect for business continuity. It also produces the audit evidence that demonstrates it. Versioned snapshots of your configuration are what make a clean restore point possible.

ControlMonkey provides this. It captures versioned snapshots, restores the known-good state, and reduces RTO for configuration. Consider an EU bank’s payment platform under DORA. When access rules and network config are recoverable, a failed deploy becomes a rollback, not an outage.

icon

See If Your Cloud Is Actually Recoverable

Identify your recovery gaps and see how quickly your cloud environment can be restored for DORA readiness.

The recovery gap data backup leaves behind

Most teams equate backup with recovery, and that is the costly mistake. Backups restore your data. They do not rebuild the cloud configuration that makes the environment run. Cyber resilience extends beyond data backup because data with no environment to run in is just storage. The bill arrives at the worst moment.

At least 52% of cyberattacks with known motives are driven by extortion or ransomware. Source: Microsoft Digital Defense Report 2025.

Here is the mechanism of failure. Infrastructure as Code partially captures your cloud configuration, never all of it. Incomplete IaC then causes the recovery gap.

The drift, the console hotfixes, the untracked resources, those are exactly what you cannot restore when you need to. Picture a SaaS provider’s tier-0 database. Half its access policies and network rules live outside code, applied by hand months ago. A backup-only plan cannot see them. Ransomware targets recovery paths, so this gap surfaces under maximum pressure. Recovering from a cloud outage is the same problem in a different costume.

Closing the gap means treating live configuration as recoverable. You convert live configuration into deployable recovery definitions, then restore from a known-good state. This is where IaC belongs in the story, as a partial mechanism and a real source of risk, not the hero. ControlMonkey closes the recovery gap. It captures the full configuration as versioned snapshots, beyond what hand-written code covers, and restores the known-good state.
What recovery readiness for NIS2 and DORA looks like

What recovery readiness for NIS2 and DORA looks like

A recovery-ready posture has three traits. They turn the argument above into something a team can actually adopt:

  • The full cloud configuration is captured as versioned snapshots, not just data.
  • A defined known-good state exists to restore to, with clear RTO and RPO targets.
  • Restores produce audit evidence that demonstrates recovery readiness for NIS2 and DORA.

Build it as a deliberate cloud disaster recovery strategy, not a reaction. Take a regulated hospital network. It needs patient systems back fast, and proof of how. This approach helps teams meet the recovery-readiness and business-continuity expectations of both regulations. It does not make them compliant. ControlMonkey improves recovery readiness, aligns with DORA, and supports NIS2 compliance by maintaining restorable configuration and the evidence that proves it.

Closing the NIS2 recovery gap

The lesson is simple. NIS2 compliance and DORA reward provable recovery, not documentation. That readiness rests on recoverable cloud configuration, which closes the recovery gap that backups leave behind. Data recovery alone is not business recovery. The teams that can prove they recover are the ones treating configuration as a first-class restore target, against real RTO and RPO. See how the cyber resilience platform makes your configuration layer recoverable.

Bottom CTA Custom Background

A 30-min meeting will save your team 1000s of hours

A 30-min meeting will save your team 1000s of hours

Book Intro Call

Author

Zack Bentolila

Zack Bentolila

Marketing Director

Zack is the Marketing Director at ControlMonkey, with a strong focus on DevOps and DevSecOps. He was the Senior Director of Partner Marketing and Field Marketing Manager at Checkmarx. There, he helped with global security projects. With over 10 years in marketing, Zack specializes in content strategy, technical messaging, and go-to-market alignment. He loves turning complex cloud and security ideas into clear, useful insights for engineering, DevOps, and security leaders.

    Sounds Interesting?

    Request a Demo