Disaster recovery
Disaster recovery refers to the set of technical and organisational measures used to systematically restore IT systems, applications and data after serious outages or disasters.
Disaster recovery (DR) comprises all technical and organisational provisions used to restore failed IT systems, applications and data sets after a serious incident. Triggers can include hardware failures, cyberattacks such as ransomware, software and configuration errors, power outages or physical disasters like fire and flooding. Disaster recovery is the IT-focused core of the broader business continuity management (BCM): while BCM ensures the continuation of critical business processes as a whole, DR concentrates on bringing the underlying information technology back into operation.
The central control parameters are the Recovery Time Objective (RTO) as the maximum tolerable recovery time and the Recovery Point Objective (RPO) as the maximum acceptable data loss, measured by the interval since the last usable backup. These targets are derived from the business impact analysis and determine the architecture of the DR solution, for example redundant data centres, geo-redundant sites, regular backups, replication or cloud-based failover. A robust disaster recovery plan documents responsibilities, recovery sequences, escalation paths and communication rules and must be validated for effectiveness through recurring tests and exercises.
Legally, disaster recovery has gained considerable importance through the NIS2 Directive and its national transposition. Essential and important entities must demonstrate measures for backup management, recovery and the maintenance of operations as part of their risk management. The BSI IT-Grundschutz also explicitly addresses recovery in its business continuity module, and ISO/IEC 27001 requires, in Annex A 5.29 and A 5.30, information security during disruption as well as ICT readiness for business continuity. Disaster recovery is therefore no longer merely operational precaution but increasingly a regulatory obligation with liability relevance for senior management.
Legal Basis
Art. 21(2)(c) NIS2 Directive (EU) 2022/2555; ISO/IEC 27001:2022 Annex A 5.29 and A 5.30; BSI Standard 200-4 (Business Continuity Management)
Practical Example
A mid-sized mechanical engineering company falls victim to a ransomware attack that encrypts its central file servers and ERP system. Thanks to a tested disaster recovery plan with daily, offline-held backups (RPO 24 hours) and a geo-redundant site, the IT department can restore the ERP system from the last clean backup within the defined RTO of eight hours. In parallel, the information security officer coordinates the report to the BSI, documents the incident and initiates a lessons-learned analysis after recovery to reassess the RTO and RPO targets and the effectiveness of the backup isolation.