Facebook Twitter Linkedin Instagram

Backup and Data Recovery – Business Continuity and Data Protection

Backup and data recovery systems protect against information loss due to hardware failures, software malfunctions, cyberattacks, or other incidents. With backups, companies can quickly restore data to its pre-incident state, minimizing downtime and financial losses. These solutions increase resilience to attacks and ensure compliance with legal data protection requirements.

Backup and data recovery — business continuity strategy for organisations compliant with NIS2, ISO 27001 and DORA

A backup is not a single cron job on a file server — it is a designed disaster recovery strategy in which every technical decision follows from a business impact analysis. The starting point is two parameters: RPO (Recovery Point Objective), meaning how much data the organisation can afford to lose in the event of a failure, and RTO (Recovery Time Objective), meaning how long service restoration can take. These numbers determine the technology choices: snapshot frequency, synchronous or asynchronous replication, copy location and restore method.

The recommended industry standard is the 3-2-1 rule — three copies of data, on two different media, one copy at a location separate from production. In 2026 we extend this model to 3-2-1-1-0 with an additional immutable copy (ransomware-resistant) and a requirement for zero restore errors in tests. Immutability is achieved through object lock in S3, Veeam Hardened Repository or Synology WORM — so even if an attacker encrypts the production environment, the backup copies remain intact.

Virtline designs, deploys and maintains backup solutions for on-premises, cloud and hybrid environments — with emphasis on repeatable restore tests and mapping controls to NIS2, ISO 27001 and DORA requirements. We serve clients in the financial sector, healthcare, public administration and manufacturing, for whom production downtime means measurable losses or a breach of regulatory obligations.

Design your backup strategy →

What we protect in the backup scope

We design backup for the entire stack — from individual workstations to virtualisation clusters and cloud accounts. Our protection covers:

 Virtual machines and physical servers — VMware vSphere, Microsoft Hyper-V, Proxmox, KVM and bare-metal servers running Windows Server and Linux.

 Databases — Microsoft SQL Server, PostgreSQL, MySQL, MariaDB, Oracle DB with transaction-level backups and point-in-time recovery.

 Microsoft 365 and Google Workspace — full backup of Exchange Online, OneDrive, SharePoint, Teams and Google Drive/Gmail with retention policies.

 Workstations and laptops — endpoint backup for field and office workers with deduplication and client-side encryption.

 Applications and containers — Kubernetes clusters (Velero, Kasten K10), Git repositories, SaaS applications via API.

 Network device configurations — configuration backups for firewalls, switches, access points and management consoles.

Veeam Backup & Replication — enterprise data protection
<a href=ESET — endpoint protection and data backup" class="wp-image-6380" srcset="https://www.virtline.com/wp-content/uploads/2024/03/2560px-ESET_logo.svg_.png 2560w, https://www.virtline.com/wp-content/uploads/2024/03/2560px-ESET_logo.svg_-300x119.png 300w, https://www.virtline.com/wp-content/uploads/2024/03/2560px-ESET_logo.svg_-1024x405.png 1024w, https://www.virtline.com/wp-content/uploads/2024/03/2560px-ESET_logo.svg_-768x304.png 768w, https://www.virtline.com/wp-content/uploads/2024/03/2560px-ESET_logo.svg_-1536x608.png 1536w, https://www.virtline.com/wp-content/uploads/2024/03/2560px-ESET_logo.svg_-2048x810.png 2048w" sizes="(max-width: 2560px) 100vw, 2560px" />
Microsoft 365 — cloud data backup for Exchange and SharePoint
Carbonite — endpoint and server backup
Statlook — IT asset management and data backup

Backup technologies — proven vendor platforms

We are not tied to a single vendor. We select the solution to match the client’s scale, budget and regulatory requirements. In our deployment practice we most often work with:

 Veeam Backup & Replication — enterprise backup market leader, support for VMware, Hyper-V, AWS, Azure, M365, immutable repositories and Veeam Hardened Repository on Linux.

 Acronis Cyber Protect Cloud — integrates backup with anti-malware protection and AI-based ransomware detection, well suited to SMEs and managed service providers (MSP).

 Synology Active Backup for Business — cost-effective all-in-one solution for SMEs with native support for M365, hypervisors and workstations, plus WORM for immutable copies.

 QNAP HBS 3 / NetBak — backup to QNAP NAS arrays with cloud replication, snapshots and WORM protection — a good choice for organisations with existing NAS infrastructure.

 Carbonite Endpoint / Server — endpoint and physical server backup for organisations without a dedicated backup server, with automatic replication to Carbonite cloud.

 S3-compatible object storage — AWS S3, Azure Blob, Wasabi, MinIO with object lock enabled as the immutable tier for the 3-2-1-1-0 strategy.

How we design backup — 4 implementation stages

A backup implementation does not begin with software installation — it begins with a conversation about what “failure” means for the business. Each stage ends with a concrete deliverable, from the RPO/RTO matrix to the first successful test restore.

1. Business impact analysis (BIA) and backup policy — workshops with the client, establishing system criticality, RPO/RTO parameters for each application, legal retention requirements (accounting, personal data, medical records) and drafting a backup policy as a document compliant with ISO 27001 A.8.13.

2. Architecture design — technology selection (Veeam, Acronis, Synology, QNAP), 3-2-1 topology design, repository locations (on-premises, secondary site, cloud), immutable layer, capacity estimation and backup window planning.

3. Deployment and configuration — repository installation, job configuration, encryption, compression and deduplication setup, monitoring integration (Zabbix, PRTG, SIEM), client administrator training.

4. Restore tests and DR runbook — first full test restore of a critical application, disaster recovery runbook development, setting up a schedule for recurring tests (quarterly or biannually) and KPIs reported to management.

Backup in NIS2, ISO 27001 and DORA requirements

Backup and recovery is an area explicitly named in three key regulations relevant to European businesses. Lack of a documented policy and test evidence means non-compliance and the risk of sanctions.

  • NIS2 art. 21(2)(c) — business continuity and backup management. Essential and important entities must implement backup policies, business continuity and disaster recovery plans (BCDR) and crisis management. The NIS2-implementing national legislation maintains this requirement in full.
  • ISO/IEC 27001:2022 A.8.13 — Information backup. The organisation must maintain backup copies of information, software and system images, test them regularly and retain them according to an agreed retention policy.
  • ISO/IEC 27001:2022 A.5.30 — ICT readiness for business continuity. Requires planning, implementing, maintaining and testing ICT readiness to ensure business continuity — directly linked to RTO/RPO and DR tests.
  • DORA art. 11 — backup policies and procedures. Financial entities must implement backup policies and procedures covering data scope, frequency, storage method and recovery procedures.
  • DORA art. 12 — ICT business continuity and recovery procedures. Requires the ability to quickly, securely and completely restore data with minimal downtime and periodic testing of recovery plans.
  • GDPR art. 32 — security of processing. The controller must ensure the ability to rapidly restore the availability of personal data in the event of a physical or technical incident — in practice implemented through backups and disaster recovery.

Frequently asked questions about backup and data recovery

What is the 3-2-1 rule and is it still relevant in 2026?

The 3-2-1 rule is the industry standard: three copies of data (production plus two backups), on two different media (e.g. disk and tape or disk and object storage), with one copy off-site. In 2026 we extend it to 3-2-1-1-0 — adding a fourth immutable (ransomware-resistant) copy and a requirement for zero errors in recurring restore tests. The rule remains the current foundation of any DR strategy.

What is the difference between RPO and RTO, and how are they set?

RPO (Recovery Point Objective) is the maximum acceptable data loss measured in time — if backup runs every 4 hours, RPO is 4 hours. RTO (Recovery Time Objective) is the maximum tolerable service downtime from failure to restoration — it covers detection, decision and recovery. Both parameters are set in a business impact analysis (BIA), separately for each application, based on the cost of one hour of downtime and the value of lost data.

What is an immutable backup and why does it protect against ransomware?

An immutable backup is a copy that cannot be modified or deleted for a defined retention period — even by an administrator account. We implement this through object lock in S3, Veeam Hardened Repository on Linux with XFS filesystem, Synology WORM or arrays with immutability features. Even if an attacker gains control of the management console or admin keys, they cannot delete the copies — the ability to restore after a ransomware attack is guaranteed.

Cloud backup or on-premises — which is better for a business?

It is not an either/or choice. Hybrid backup combines the advantages of both models: a local copy ensures fast restore (low RTO), a cloud copy protects against a site failure and satisfies the geographic separation requirement of 3-2-1. A cloud-only backup makes sense for small companies without infrastructure; on-premises-only for entities with data sovereignty requirements. We most often recommend a hybrid with an immutable cloud tier.

How much does a backup system implementation cost?

Cost depends on three variables: volume of protected data (TB), number of sources (VMs, databases, M365 accounts) and required RTO. SME solutions (Synology + Veeam Community) start from tens of thousands of PLN one-off plus cloud subscription. Enterprise deployments (Veeam B&R Enterprise Plus, dedicated repositories, cloud tier) run into hundreds of thousands. We prepare a quote after analysing requirements — contact us.

Why are restore tests more important than the backup itself?

An unverified backup is just occupied disk space. Statistics show that around 30% of organisations discover problems with their copies only during an actual failure. Recurring restore tests (quarterly for critical systems) verify copy integrity, DR runbook currency, team competence and RTO compliance. ISO 27001 A.5.30 and DORA art. 12 require documented tests — missing evidence is an audit non-conformity.

For whom we design backup

Our clients are organisations for whom downtime means measurable financial loss or a breach of regulatory obligations. We most often implement backup for:

  • essential and important entities subject to NIS2 (energy, healthcare, transport, finance, public administration)
  • financial institutions subject to DORA (banks, insurers, crypto-asset service providers, investment firms)
  • organisations implementing or maintaining ISO 27001 certification as part of their information security management system
  • manufacturing companies with ERP, MES and machine control systems (Industry 4.0, OT/ICS)
  • law firms, accounting offices and medical entities with document retention obligations
  • automotive sector companies with TISAX requirements in the supply chain
  • e-commerce and SaaS businesses for whom RTO is measured in minutes
  • local government units and public institutions
  • telecommunications operators and essential service providers with continuity obligations
  • universities and research institutes with large scientific data repositories

Why choose Virtline for your backup project

Virtline has been designing and maintaining backup systems in production environments for over 25 years. We combine deployment expertise with an auditor’s perspective — every solution satisfies specific ISO 27001, NIS2 and DORA controls. We hold our own PN-EN ISO/IEC 27001:2023-08 certificate issued by TÜV NORD, so we know the requirements from the inside.

Key benefits of backup with Virtline:

 Backup design derived from business impact analysis and regulatory requirements

 Partner status with Veeam, Acronis, Synology, QNAP, Carbonite

 Control mapping to NIS2 art. 21(2)(c), ISO 27001 A.8.13/A.5.30, DORA art. 11–12

 24/7 support and SLA aligned to the client’s RTO requirements

 Recurring restore tests and management reporting

 Immutable backup architecture — ransomware resilience

 Deployment experience from SMEs to enterprise clients

 Local English-speaking support — no hand-offs to call centres

Contact us to design a backup and disaster recovery strategy tailored to your organisation’s requirements — with mapping to NIS2, ISO 27001 and DORA and a concrete restore test plan.

Plan a backup that actually works — pass your restore test without stress.

Contact us →

 ISO/IEC 27001:2023 Certification

Virtline certified by TÜV NORD

Virtline holds the PN-EN ISO/IEC 27001:2023-08 certificate issued by TÜV NORD. Certificate number: AC090 121/2469/6137/2026, valid until 02.2029. We design backup projects from the perspective of an audited entity — we know every control from the inside.

Talk to a Virtline expert

We will scope your project, propose an architecture and prepare a fixed quote within 5 working days. No obligations, no junior reps — you talk to engineers from day one.

Contact us →