--- title: "IT Resilience: A Board-Level Priority. 5 Arguments for the Executive Suite" date: 2026-05-13T15:45:00+02:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/warum-it-resilienz-chefsache-ist-5-argumente-für-den-vorstand" section: "Entries: Articles" --- ### 1. Personal Accountability of Management Under NIS2 [\#](#1-personal-accountability-of-management-under-nis2 "1. Personal Accountability of Management Under NIS2") Most importantly: NIS2 obligates essential and important entities across the EU to implement cybersecurity risk management, explicitly including backup management, disaster recovery, and crisis management. And it does not stop at the IT department. Under Article 20 of the directive, the management bodies must approve the risk management measures, oversee their implementation, and can be held liable for infringements. Management must also undergo cybersecurity training. In Germany, this is implemented through the NIS2UmsuCG, in force since 6 December 2025 (registration deadline for affected entities was 6 March 2026). The fine corridors are substantial: for essential entities up to EUR 10 million or 2% of global annual turnover, for important entities up to EUR 7 million or 1.4%. What this means: if a company suffers a cyberattack and IT resilience measures are absent or evidently underinvested, management can be held personally accountable. This is not compliance theater. It is law with real consequences. **The lesson:** Document resilience decisions and investments. An audit trail showing that the board has consciously engaged with IT resilience is the best protection against accusations later. ### 2. Cost of an Outage vs. Cost of Prevention [\#](#2-cost-of-an-outage-vs-cost-of-prevention "2. Cost of an Outage vs. Cost of Prevention") The economics are clear even without inflated figures. Industry reports consistently put the cost of a serious ransomware incident in the seven-figure range: the Sophos State of Ransomware 2025 report measured average recovery costs of about USD 1.5 million, excluding any ransom payment, downtime losses, customer churn, and reputational damage. A resilience program (air-gapped backup tier, recovery runbooks, quarterly tests, an isolated recovery environment for critical systems) costs a fraction of that, even for larger organizations. **The calculation is straightforward:** one prevented uncontrolled outage typically pays for years of resilience investment. **Additionally:** organizations without a demonstrated recovery capability pay ransom far more often. In the Sophos 2025 data, 49% of organizations whose data was encrypted paid. With a verified restore path from an immutable, isolated backup copy, the extortion loses its leverage. ### 3. Insurance Requirements Are Tightening [\#](#3-insurance-requirements-are-tightening "3. Insurance Requirements Are Tightening") Cyber insurance policies that were relatively generous until a few years ago now set significantly higher requirements. Many insurers require demonstrated resilience measures as a condition for coverage: - Backup isolation (air gap architecture with an isolated backup tier) - Regular recovery tests - Documented incident response plan - Documented business continuity management - Multi-factor authentication on critical systems Without these measures: premiums rise, or the insurer declines coverage or excludes ransomware. With documented resilience: better terms and higher coverage limits. The exact premium effect depends on insurer and risk profile, but isolated backups and documented recovery tests are among the questions on virtually every cyber insurance application today. ### 4. Customer Trust and Reputation Protection [\#](#4-customer-trust-and-reputation-protection "4. Customer Trust and Reputation Protection") Large customers, particularly in financial services, the public sector, or critical infrastructure, now contractually require you to demonstrate verifiable IT resilience. You will be asked about RTO/RPO (Recovery Time Objective / Recovery Point Objective), about your backup isolation, and about test evidence. DORA reinforces this in the financial sector: regulated entities must manage ICT risk in their supply chain, which means their providers get audited. A company that stumbles during an attack and does not know when it will be available again loses not only that customer but also the trust of other customers who learn about the incident. Conversely: a company that can say ​“We maintain an air-gapped backup tier, our RTO is 4 hours for ERP and 24 hours for file servers, and we test this quarterly” wins customer contracts. In the B2B world, resilience has become a competitive advantage. ### 5. Supply Chain Dependencies and Systemic Risk [\#](#5-supply-chain-dependencies-and-systemic-risk "5. Supply Chain Dependencies and Systemic Risk") Every company is part of a supply chain. A failure at your end can harm customers. A failure at one of your critical suppliers can shut down your production. This is no longer a theoretical question. NIS2 explicitly requires in-scope entities to address supply chain security, including the security of relationships with direct suppliers and service providers. This means: your customers will ask you how resilient you are. And you must ask your suppliers how resilient they are. A company without documented resilience becomes the weak point of the entire supply chain. This can lead to loss of contracts. ### How to Convince the Board [\#](#how-to-convince-the-board "How to Convince the Board") Resilience becomes a topic when you present it in a business-case framing: 1. **Loss avoidance:** ​“A resilience investment in the six-figure range avoids an uncontrolled incident in the seven-figure range.” 2. **Compliance fulfillment:** ​“NIS2 requires these measures, with fines of up to EUR 10 million or 2% of global turnover and personal management accountability.” 3. **Insurance:** ​“Without isolated backups and recovery tests, our cyber coverage is at risk.” 4. **Customer acquisition:** ​“Large customers now ask about RTO/RPO and test evidence. Without documented resilience, we lose contracts.” 5. **Systemic risk mitigation:** ​“As a supplier, we must meet resilience standards, or we will be deselected.” This is board language: risk mitigation, cost control, competitiveness, compliance. ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Who is responsible: IT or the board?** The board bears overall responsibility, and under NIS2 it cannot fully delegate it. IT executes. Governance responsibility lies with the board or the audit committee. **Can a smaller company afford IT resilience?** Yes, scaled appropriately. An SMB does not need the same complexity as a multinational. But an air-gapped backup tier and regular recovery tests are economically viable even for SMBs. **If we move to the cloud, do we need less resilience?** No, and cloud should not be the primary strategy. Cloud providers offer availability guarantees, but your data integrity, your isolated backup copy, and your recovery capability remain your responsibility. An on-premises, immutable secondary storage tier under your own control is the foundation; cloud can complement it at most. --- ### Further Resources [\#](#further-resources "Further Resources") → IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → NIS2 and IT Resilience Requirements (/en/blog/nis2-it-resilienz-anforderungen/) → NIS2 Personal Liability (/en/blog/nis2-persoenliche-haftung/) → Business Continuity Plan (/en/blog/business-continuity-plan-leitfaden/) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### RTO / RPO RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo) ### RTO / RPO RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora)