IT resilience goes beyond classic high availability and IT security. Availability protects against individual component failures (RAID, clusters). Security protects against attacks (firewall, E). Resilience protects against scenarios in which entire systems, sites or infrastructure layers fail simultaneously — and ensures the organization can resume operations afterwards.

According to the Allianz Risk Barometer 2025, cyber incidents are the greatest business risk for companies globally — for the fourth consecutive year. attacks cause an average of 23 days of downtime (Sophos 2024). The central question is therefore no longer: Will we be attacked?’ But: How quickly can we resume operations afterwards?’

IT resilience rests on five pillars: prevention (stopping attacks), detection (recognizing attacks), response (incident response), recovery and adaptation (lessons learned). The recovery pillar is the most critical: prevention, detection and response can fail. Recovery must not fail — it is the last safety net. Recovery only works if the data being restored from has not also been compromised.

Cyber resilience is the specialization for cyber attacks and addresses a specific problem: modern ransomware specifically destroys backup infrastructure before encrypting production systems. This means the classic disaster recovery plan, which assumes intact backups, no longer holds. Cyber resilience requires at least one physically isolated recovery path (air gap) that remains intact even when all other layers have been compromised.

NIS2 and make IT resilience a legal obligation for thousands of organizations — with personal liability for management.

Frequently asked questions

IT security aims to prevent attacks and incidents. IT resilience accepts that prevention does not always succeed and ensures the organization can resume operations even after a successful attack. Security is a subset of resilience — resilience additionally encompasses recovery, business continuity and adaptability.
Quarterly recovery tests of critical systems are the minimum — recommended by both BSI (CON.3.A11) and NIS2. Additionally, a full recovery test of all critical systems with timing against RTO targets should be conducted annually. A backup that has never been tested is not a recovery plan — it is an assumption.