--- title: "From Level 2 to Level 4: The Most Efficient Path to Resilience" date: 2026-05-19T08:55:00+02:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/von-stufe-2-auf-stufe-4-resilienz" section: "Entries: Articles" --- ### 1. What Level 2 and Level 4 Mean in Practice [\#](#1-what-level-2-and-level-4-mean-in-practice "1. What Level 2 and Level 4 Mean in Practice") #### Level 2: Basic (partially prepared) [\#](#level-2-basic-partially-prepared "Level 2: Basic (partially prepared)") The typical Level 2 state: - **DR plan:** exists, last updated 2 or more years ago, never tested - **Backups:** run daily, recovery tests rare or never conducted - **RTO/RPO:** defined, but never tested against the actual architecture - **Backup access:** production admin accounts have access to backup systems - **Air gap:** no isolated backup layer - **Offline availability:** DR plan exists only in digital form - **NIS2 compliance:** not demonstrable **Real risk at Level 2:** If ransomware compromises the network and obtains sufficient credentials, online backups are at risk. The Veeam Ransomware Trends Report 2025 found that attackers targeted backup repositories in 89% of attacks. Recovery can take weeks, or fail entirely. #### Level 4: Managed (resilient) [\#](#level-4-managed-resilient "Level 4: Managed (resilient)") The Level 4 state: - **DR plan:** current, tested, with defined roles and a communication plan - **Backups:** multi-tier architecture with an air gap layer - **RTO/RPO:** defined AND verified through quarterly tests - **Backup access:** dedicated backup admin account, no production overlap - **Air gap:** physically or galvanically isolated backup layer in place - **Offline availability:** DR plan printed and stored securely - **NIS2 compliance:** demonstrable through documentation and test records **Real risk at Level 4:** Controlled. During a ransomware attack, the air gap layer remains intact. Recovery duration: hours to days, measured and documented. --- ### 2. The Gap Analysis: What Is Missing Between Level 2 and Level 4 [\#](#2-the-gap-analysis-what-is-missing-between-level-2-and-level-4 "2. The Gap Analysis: What Is Missing Between Level 2 and Level 4") The move from Level 2 to Level 4 requires four structural changes: #### Gap 1: Missing Air Gap Layer [\#](#gap-1-missing-air-gap-layer "Gap 1: Missing Air Gap Layer") **Problem:** All backup copies are network-attached. An attacker with domain admin rights can delete or encrypt them. **Solution:** Introduce a physically or galvanically isolated backup layer. With the Silent Brick System, the SB Pro variant provides a physical air gap (bricks are physically removable from the Controller X), while SB Max Air provides galvanic separation without physical removal. **Effort:** 4 to 8 weeks (procurement, installation, configuration). One-time. **Impact:** Largest single resilience gain. Closes the most common attack path against backup systems. #### Gap 2: No Recovery Test Records [\#](#gap-2-no-recovery-test-records "Gap 2: No Recovery Test Records") **Problem:** Backups exist, but no full restore has been tested in the last 12 or more months. The documented RTO is an estimate, not a measurement. **Solution:** Quarterly recovery tests with formal records: what was tested, when, how long the restore took, whether it met the RTO target. **Effort:** 1 day per quarter for the test, 2 hours for the record. Ongoing. **Impact:** Converts the RTO from an assumption to a measured value. Creates audit evidence for NIS2 and, in the financial sector, for the resilience testing obligations under DORA (Regulation (EU) 2022⁄2554). Surfaces weaknesses in the architecture before an incident does. #### Gap 3: Production Credentials for Backup Systems [\#](#gap-3-production-credentials-for-backup-systems "Gap 3: Production Credentials for Backup Systems") **Problem:** Backup administrators use the same accounts as production administrators. An attacker who compromises production admin credentials automatically has backup admin access. **Solution:** A dedicated backup administrator account used for no other purpose, with separate credentials. Ransomware that compromises production credentials then has no automatic access to backup systems. **Effort:** 1 day to create and reconfigure. **Impact:** Decouples backup security from production security. The cheapest security upgrade per unit of effort. #### Gap 4: Outdated and Digital-Only DR Plan [\#](#gap-4-outdated-and-digital-only-dr-plan "Gap 4: Outdated and Digital-Only DR Plan") **Problem:** The DR plan describes an infrastructure state from three years ago. It also lives on a SharePoint server, which may not be accessible when needed most. **Solution:** Annual DR plan updates following infrastructure reviews. Offline availability as a requirement: printed and locked away, or encrypted on media independent of the network. **Effort:** 1 day annually for the update. 30 minutes to print and store. **Impact:** In an actual incident, you have a plan you can trust, even without network access. --- ### 3. Implementation Path: 12 Weeks to Level 4 [\#](#3-implementation-path-12-weeks-to-level-4 "3. Implementation Path: 12 Weeks to Level 4") #### Weeks 1 to 2: Inventory and Quick Wins [\#](#weeks-1-to-2-inventory-and-quick-wins "Weeks 1 to 2: Inventory and Quick Wins") **Immediate actions (zero budget, 0 to 1 day effort):** - Create backup inventory: which systems are backed up? Which are not? - For each backup: can an attacker with admin credentials delete it? - Create a dedicated backup admin account (closes Gap 3) - Print the DR plan and place it in a secure location (partially closes Gap 4) **Outcome after week 2:** Gap 3 closed, Gap 4 partially closed. Clear picture of remaining gaps. #### Weeks 3 to 4: Planning and Procurement of the Air Gap Layer [\#](#weeks-3-to-4-planning-and-procurement-of-the-air-gap-layer "Weeks 3 to 4: Planning and Procurement of the Air Gap Layer") **Actions:** - Calculate capacity: data volume times 1.5 as a sizing guideline for air gap capacity - Decision: physical air gap (SB Pro, removable bricks) or galvanic separation (SB Max Air, automated)? - Initiate procurement (typical delivery: 2 to 4 weeks) - Write a backup policy for the air gap layer: frequency, retention, ownership **In parallel:** - Update the DR plan with the current infrastructure state and current contact details - Document RTO/RPO per critical system if not already done #### Weeks 5 to 8: Air Gap Layer Installation and Configuration [\#](#weeks-5-to-8-air-gap-layer-installation-and-configuration "Weeks 5 to 8: Air Gap Layer Installation and Configuration") **Actions:** - Install hardware and configure networking - Configure backup jobs: production to online repository, then a backup copy job to the air gap layer - Run the first test backup to the air gap system - Set up backup monitoring: failures must trigger immediate escalation **Outcome after week 8:** Gap 1 closed. Air gap layer operational. First backups running. #### Weeks 9 to 12: Tests, Documentation, Completion [\#](#weeks-9-to-12-tests-documentation-completion "Weeks 9 to 12: Tests, Documentation, Completion") **Actions:** - Run the first full recovery test from the air gap layer - Measure restore time against RTO targets - Create a test record (date, tester, system, restore time, outcome, deviations) - Align the backup concept with your framework of choice: ISO 27001:2022 controls, the NIS2 risk management measures, or, as a national example in Germany, the BSI IT-Grundschutz module CON.3 - Update the DR plan with the new air gap recovery procedure **Outcome after week 12:** All four gaps closed. First test records in place. Level 4 achieved. --- ### 4. Budget Frame: What the Move from Level 2 to Level 4 Costs [\#](#4-budget-frame-what-the-move-from-level-2-to-level-4-costs "4. Budget Frame: What the Move from Level 2 to Level 4 Costs") Exact figures depend on capacity and vendor, but the order of magnitude is consistent: - **Air gap system:** a one-time investment typically in the low five-figure euro range for mid-sized capacity, plus annual maintenance in the low four-figure range - **IT personnel for configuration and tests:** a few internal person-days one-time, then roughly one person-day per quarter for tests - **Documentation and DR plan update:** 1 to 2 internal person-days one-time, then about half a day per year **For comparison:** industry reports put the average cost of recovering from a ransomware attack, excluding any ransom, in the seven-figure range (Sophos State of Ransomware 2025: about USD 1.5 million on average), before reputational damage, regulatory fines, or customer losses. The Level 4 investment pays for itself with the first controlled incident. --- ### 5. What Level 4 Is Not, and Why Level 5 Comes Later [\#](#5-what-level-4-is-not-and-why-level-5-comes-later "5. What Level 4 Is Not, and Why Level 5 Comes Later") Level 4 is the foundation on which Level 5 builds: **What Level 4 delivers:** - Demonstrated recovery capability from the air gap layer - Protection against ransomware that compromises production credentials - A defensible NIS2 compliance baseline for backup management and disaster recovery - Controlled failure instead of uncontrolled total loss **What Level 4 does not yet deliver:** - Automated recovery testing - A full cyber resilience architecture with an isolated recovery environment - Red-team testing and tabletop exercises as regular practice - Continuous improvement from post-incident reviews **Recommendation:** Reach Level 4 in the first 12 weeks. Then: conduct a first tabletop exercise (a Level 5 element) and evaluate recovery test automation. --- ### 6. Measurement: How to Demonstrate Level 4 [\#](#6-measurement-how-to-demonstrate-level-4 "6. Measurement: How to Demonstrate Level 4") Level 4 is not self-assessment. It is a measurable property: - **Recovery test frequency:** target 4 times per year; evidence: test records with dates - **RTO compliance:** target above 90% of tests; evidence: restore time vs. documented RTO - **Backup success rate:** target above 99%; evidence: monitoring dashboard, monthly reports - **Air gap backup age:** target under 24 hours; evidence: backup job logs - **DR plan currency:** target under 12 months old; evidence: version control, date in document - **Backup admin isolation:** target 100%; evidence: directory account documentation --- ### Further Resources [\#](#further-resources "Further Resources") → IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → Resilience Maturity Self-Assessment (/en/blog/resilienz-reifegrad-selbstbewertung/) → NIS2 Audit Preparation: Checklist for IT Managers (/en/blog/audit-preparation-nis2-checklist/) → Tabletop Exercise Ransomware: Instructions and Scenarios (/en/blog/tabletop-exercise-ransomware/) → Air Gap as a Resilience Layer (/en/blog/air-gap-resilienz-layer/) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### BSI IT-Grundschutz The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery)