--- title: "Hybrid Backup Architecture: Best Practices for European Organizations" date: 2026-01-22T09:35:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/hybride-backup-architektur-datensouveraenitaet" section: "Entries: Articles" --- ### Why Data Sovereignty Matters Especially for Backup [\#](#why-data-sovereignty-matters-especially-for-backup "Why Data Sovereignty Matters Especially for Backup") Backup data is not a second-class copy. It contains the same content as your production systems: customer records, financial documents, communications, strategic materials. Choosing backup storage without a sovereignty perspective means surrendering control over the same dataset, just with a time delay. **Three legal frameworks that create action requirements:** #### US CLOUD Act (2018) [\#](#us-cloud-act-2018 "US CLOUD Act (2018)") US authorities can compel providers under US jurisdiction to produce data they hold, regardless of where the servers are physically located. This applies to all providers with a US parent company (AWS, Microsoft Azure, Google Cloud) and to many SaaS offerings built on their infrastructure. Practical consequence: backup data stored with a US provider is subject to potential disclosure under US legal orders, without involvement of an EU court. #### GDPR (EU, since 2018) and Schrems II (CJEU, 2020) [\#](#gdpr-eu-since-2018-and-schrems-ii-cjeu-2020 "GDPR (EU, since 2018) and Schrems II (CJEU, 2020)") In Schrems II, the Court of Justice of the European Union invalidated the EU-US Privacy Shield. The reason was US surveillance law (Section 702 FISA, Executive Order 12333) and the lack of effective redress for EU citizens, which prevented an essentially equivalent level of protection. The successor framework, the EU-US Data Privacy Framework (2023), is currently operational and survived its first court test in 2025, but an appeal is pending and the legal basis for US transfers has now failed twice in a decade. Healthcare organizations, public authorities and financial institutions are well advised to keep personal data physically within the EU. #### NIS2 (EU Directive, transposed into national law) [\#](#nis2-eu-directive-transposed-into-national-law "NIS2 (EU Directive, transposed into national law)") NIS2 obliges organizations in essential and important sectors to implement risk-management measures including backup management, business continuity and supply-chain security. A backup strategy that depends entirely on a single cloud provider creates a concentration risk that is difficult to defend in a NIS2 audit. For financial entities, DORA adds explicit ICT third-party risk management on top. --- ### The Sovereignty Principle: Which Data Belongs Where [\#](#the-sovereignty-principle-which-data-belongs-where "The Sovereignty Principle: Which Data Belongs Where") Not all data requires the same level of protection. A pragmatic decision matrix: - **Critical operational data** (ERP, production data, contracts): very high sovereignty requirement; on-premises in the EU - **Personal data under GDPR** (customer data, HR, patient records): high; on-premises or EU provider without US parent - **Regulated records** (accounting, audit documentation): high; on-premises, audit-proof storage - **Non-critical operational data** (log files, technical metrics): low; flexible placement - **Public or anonymized data** (marketing statistics, demos): no constraint **The guiding question:** ​“Would access by a foreign authority to this dataset compromise our operations, our customers or our legal compliance?” If yes: on-premises. --- ### 4‑Tier Reference Architecture with Sovereignty Assessment [\#](#4-tier-reference-architecture-with-sovereignty-assessment "4-Tier Reference Architecture with Sovereignty Assessment") #### Tier 1: On-Premises Primary Backup [\#](#tier-1-on-premises-primary-backup "Tier 1: On-Premises Primary Backup") **Technology:** Deduplicating backup software (for example Veeam or Commvault), writing to on-premises storage over standard protocols (NFS, SMB, iSCSI, S3-compatible) **Characteristics:** - High backup frequency (hourly to daily) - Fast recovery (RTO: minutes to a few hours) - Network-adjacent, in your own data centre **Sovereignty assessment: full sovereignty** - Hardware under your own control - No third-party access - EU law applies - No egress costs **Vulnerability:** Tier 1 is network-connected. A ransomware attack that compromises the network can also attack Tier 1 backups. Tier 1 alone is not sufficient. #### Tier 2: Air Gap On-Premises (Maximum Sovereignty Plus Ransomware Protection) [\#](#tier-2-air-gap-on-premises-maximum-sovereignty-plus-ransomware-protection "Tier 2: Air Gap On-Premises (Maximum Sovereignty Plus Ransomware Protection)") **Technology:** Backup storage physically or galvanically isolated from the network Two technically distinct approaches: **Physical air gap (Silent Brick Pro):** Silent Brick Pro units are physically removable from the Controller X. Removed bricks are completely isolated; no attacker controlling the network can reach them. **Galvanic air gap (Silent Brick Max Air):** Silent Brick Max Air isolates the storage galvanically, without requiring physical removal. The isolation is enforced at the hardware level. **Sovereignty assessment: maximum sovereignty** - Physically under your own control - In the isolated state, unreachable by any network system - Protected even in the event of complete network compromise - Data never leaves the organization **Use:** Weekly or monthly backup points; the recovery baseline after a ransomware attack or total failure #### Tier 3: WORM Archive On-Premises (Audit-Proof and Sovereign) [\#](#tier-3-worm-archive-on-premises-audit-proof-and-sovereign "Tier 3: WORM Archive On-Premises (Audit-Proof and Sovereign)") **Technology:** Hardware WORM system, Silent Cubes Silent Cubes are dedicated archiving systems with hardware WORM: stored data is physically immutable. Even an administrator with full system rights cannot overwrite or delete archived data; this is enforced by the hardware design, not by software rules alone. **Sovereignty assessment: audit-proof and fully sovereign** - Complete physical control - Hardware immutability satisfies statutory retention obligations across the EU; in Germany, for example, the requirements of commercial and tax law (HGB, GoBD), with equivalent retention regimes in other member states and sectors - No cloud provider or third party involved - Designed for retention periods of 10 to 30+ years **Use:** Long-term archiving of financial records, contracts, patient data and official documents; fulfilment of compliance requirements that mandate immutable storage #### Tier 4: Geo-Redundancy (Options and Sovereignty Trade-Offs) [\#](#tier-4-geo-redundancy-options-and-sovereignty-trade-offs "Tier 4: Geo-Redundancy (Options and Sovereignty Trade-Offs)") Geo-redundancy (an additional copy at a geographically separate location) protects against scenarios that affect an entire site: fire, flooding, physical destruction. **Option A: Second on-premises data centre (sovereign)** - Full control, maximum sovereignty - Cost: infrastructure at two locations - Recommended for: critical infrastructure operators, public authorities, financial institutions, healthcare **Option B: Colocation at an EU data centre (sovereign)** - Hardware owned by you, hosted at an EU colocation provider without US affiliation - EU law applies - Cost: colocation fees; no egress costs on your own hardware **Option C: EU cloud provider (limited sovereignty)** - Suitable for non-critical data when a second site is not feasible - Requirements: EU-registered provider, no US parent company, GDPR-compliant processing - Note: even EU subsidiaries of US corporations remain exposed to US orders **Option D: US cloud provider (not recommended for critical data)** - Full CLOUD Act exposure - Not suitable for critical business, customer or regulated data **Trade-off summary for Tier 4:** - Second on-premises site: maximum sovereignty, high cost; for critical infrastructure, public sector, finance - EU colocation without US affiliation: high sovereignty, medium cost; for SMEs and healthcare - EU cloud without US affiliation: medium sovereignty, low cost; for non-critical data - US cloud: low sovereignty; not for critical data --- ### Regulatory Requirements by Sector [\#](#regulatory-requirements-by-sector "Regulatory Requirements by Sector") #### Healthcare [\#](#healthcare "Healthcare") Patient data is subject to particularly strict protection under the GDPR, supplemented by national and regional rules (in Germany, for example, state hospital and data protection laws). Patient data should not reside on systems with US legal exposure. Recommendation: Tiers 1 to 3 entirely on-premises; Tier 4 through an EU colocation provider without US parent. #### Financial Services [\#](#financial-services "Financial Services") DORA (Digital Operational Resilience Act, applicable since January 2025) obliges financial entities to resilience testing, incident reporting and ICT third-party risk management. Cloud dependencies must be documented and assessed for concentration risk. Retention rules for accounting and audit records across the EU (in Germany codified in HGB and GoBD) require immutable archiving of business records; hardware WORM satisfies this directly. Recommendation: Tier 3 with hardware WORM for regulated records; Tier 4 as EU colocation or second site. #### Critical Infrastructure Operators [\#](#critical-infrastructure-operators "Critical Infrastructure Operators") Organizations in sectors such as energy, water, transport and food fall under NIS2 and its national transpositions (in Germany combined with the national IT security régime). Downtime tolerance is regulated; backup and recovery capability must be demonstrable. Recommendation: all four tiers on fully sovereign infrastructure; Tier 4 as a second physical site. #### Public Authorities [\#](#public-authorities "Public Authorities") Public bodies are subject to national security baselines (in Germany, BSI IT-Grundschutz) and procurement rules that generally exclude US-controlled cloud for government data. Recommendation: fully on-premises or via dedicated government infrastructure; no US-dependent cloud. --- ### Practical Decision Guide: Which Data Must Remain On-Premises? [\#](#practical-decision-guide-which-data-must-remain-on-premises "Practical Decision Guide: Which Data Must Remain On-Premises?") **Mandatory on-premises (no exceptions):** - Would foreign authority access to this dataset compromise operations or compliance? - Is the data subject to a statutory retention obligation with an immutability requirement? - Is it patient data, government records or operational data of critical infrastructure? **Recommended on-premises:** - Does the dataset contain trade secrets or proprietary business knowledge? - Does it include customer data for which you carry liability towards third parties? - Is the recovery time so critical that egress costs or internet bandwidth would be a problem? **Flexible placement possible:** - Is it technical metadata, anonymized statistics or publicly available content? - Are there no regulatory constraints, and would disclosure create no competitive disadvantage? --- ### Implementation Steps for Getting Started [\#](#implementation-steps-for-getting-started "Implementation Steps for Getting Started") A complete 4‑tier architecture does not emerge overnight. This sequence reduces risk progressively: **Step 1: Inventory.** Document which data is backed up where. Assess each category: foreign access risk, retention obligation, RTO/RPO requirements. **Step 2: Tier 1 consolidation.** Ensure all critical data is backed up at least on-premises. Migrate backups currently held only with US providers onto sovereign systems. **Step 3: Introduce an air gap for critical data.** Identify the categories where ransomware protection and physical isolation are essential. Implement Tier 2 for them. **Step 4: WORM archive for compliance data.** Introduce hardware WORM for all data under statutory retention with immutability requirements. Define and document retention periods in your procedural documentation. **Step 5: Plan geo-redundancy by the sovereignty principle.** Choose Tier 4 based on requirements: second site, EU colocation, or (only for non-critical data) EU cloud without US affiliation. **Step 6: Regular restore tests.** An untested backup architecture is not insurance. Schedule quarterly restore tests across all tiers and document the results. --- ### Summary [\#](#summary "Summary") A hybrid backup architecture that takes data sovereignty seriously is not in conflict with modern IT. It is the logical consequence of the CLOUD Act, the GDPR, NIS2, DORA and the lessons of recent ransomware incidents and cloud dependencies. The 4‑tier model provides the structure. The sovereignty assessment per tier determines which technology and which provider fits which data category. On-premises remains the only approach that guarantees full control over the critical data of European organizations. --- ### Further Resources [\#](#further-resources "Further Resources") → What Is Data Sovereignty? (/en/blog/was-ist-datensouveraenitaet/) → Multi-Tier Backup Architecture: Best Practices (/en/blog/mehrstufige-backup-architektur/) → US CLOUD Act Explained: Why Server Location Alone Is Not Enough (/en/blog/us-cloud-act-erklaert/) → NIS2: IT Resilience Requirements (/en/blog/nis2-it-resilienz-anforderungen/) → Logical vs. Physical Air Gap (/en/blog/logischer-vs-physischer-air-gap/) → WORM Storage: Fundamentals (/en/blog/worm-speicher-grundlagen/) ### Supply Chain Security Supply chain security refers to the systematic assessment, securing and contractual obligation of all IT service providers, cloud providers and storage vendors in an organization's IT supply chain — NIS2 and DORA make this mandatory and require evidence of data localization, audit rights and exit strategies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/supply-chain-security) ### 3-2-1-1-0 Backup Rule The 3-2-1-1-0 rule is the current standard for ransomware-resilient backup strategies: three copies of data, on two different media types, at one off-site location, with one copy physically isolated from the network (offline/air-gapped), and zero unverified backups. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/3-2-1-1-0-backup-rule) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### Supply Chain Security Supply chain security refers to the systematic assessment, securing and contractual obligation of all IT service providers, cloud providers and storage vendors in an organization's IT supply chain — NIS2 and DORA make this mandatory and require evidence of data localization, audit rights and exit strategies. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/supply-chain-security) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### GoBD The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### BSI IT-Grundschutz The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### Data Sovereignty Data sovereignty describes an organization's complete control over its data: where it is stored, who can access it, which legal framework applies to it and whether it is available at any time without dependency on a single provider. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/data-sovereignty) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GoBD The GoBD (Principles for the Proper Management and Storage of Books, Records and Documents in Electronic Form as well as Data Access) is a German Federal Ministry of Finance letter that specifies how tax-relevant documents must be archived electronically in Germany — particularly regarding immutability, completeness and auditability. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gobd) ### KRITIS (Critical Infrastructure) KRITIS refers to organizations and facilities whose failure or impairment would cause significant supply shortages or threats to public safety — KRITIS operators are subject to heightened IT security requirements under §8a of the German BSI Act and must demonstrate compliance to the BSI every two years. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/kritis-critical-infrastructure) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr)