Cyber security is not just an IT concern, but a business priority. According to Gartner’s 2025 CEO Survey, this understanding is already widespread: 85% of CEOs say cyber security is critical for business growth. An unsurprising trend, given that regulatory frameworks are increasingly focusing on the business implications of IT security. For instance, NIS2 has made directors personally liable for damages if gross negligence in cyber security management is proven.
Furthermore, cyberattacks have tangible business repercussions. According to ENISA’s Threat Landscape 2025 publication, over 4 out of 5 cybercrime incidents are ransomware attacks, making ransomware by far the most likely cause of major business disruption. These statistics underscore the convergence of IT and security, emphasizing that cyber security should not merely be viewed as a cost but as an integral element of IT. Security must be incorporated from the start—it can’t be bolted on later as an afterthought.
However, IT and security convergence is not enough for true cyber resilience, which represents an organization’s ability to maintain operations despite cyber incidents, failures, or disruptions. Achieving resilience requires a continuous improvement program, focusing on the appropriate security controls. But the most important part of cyber resilience is investing in foundational measures spanning the Assess, Prevent, Detect & Respond, and Recover security domains.
Cyber recovery is therefore one of the foundational measures for achieving cyber resilience. It ensures that systems, data, and identities can be restored safely, cleanly, and swiftly following a cyber incident. While cyber security primarily targets the prevention and detection of attacks, cyber recovery operates on the premise that preventive measures will fail, focusing instead on post-compromise recovery.
A cyber recovery plan forms an integral part of an organization’s strategic planning for business continuity. Guided by regulatory mandates such as NIS2 and DORA, the organization conducts a business impact analysis to identify critical functions, tolerances, and recovery priorities. This analysis lays the groundwork for a business continuity plan that ensures business operations continue or resume quickly after disruptions. The disaster recovery plan is an IT-focused subset of the business continuity plan, which is then translated into concrete architectural and technological choices, resulting in a backup plan and a cyber recovery plan.
Although the cyber recovery plan focuses on recovery from ransomware and malware incidents, its inclusion in the broader strategic planning for business continuity means that it directly supports regulatory compliance, operational resilience, and disaster recovery scenarios. As for regulatory compliance, NIS2, for example, expects organizations to be able to restore services and minimize operational impact of incidents, but it grants flexibility in how these objectives are achieved.
Conversely, DORA (applicable to the financial sector) requires organizations not only to have recovery plans, but also to demonstrate and test that recovery actually works. In essence, NIS2 asks organizations whether they are resilient enough, while DORA asks them to prove it under stress.
The architectural decisions to create a cyber recovery plan eventually translate into a portfolio of concrete solutions and services. For Cegeka, effective cyber recovery is built up in layers, with each layer strengthening the next one and addressing different recovery scenarios:
Resilient architecture
If the architecture lacks resilience and reproducibility, recovery efforts will invariably be slow and fragile. That’s why the first layer focuses on building solid IT foundations to ensure that systems can be recreated, scaled, and recovered predictably. Typically, this involves designing infrastructure with high availability and disaster recovery principles, integrating best practices like infrastructure as code and containerized workloads.
Backup and recovery
Building on this foundational architecture, the next point of attention is backup and recovery. Implementing this serves as an organization’s insurance policy against data loss due to cyber incidents, operational failures, human errors, and disasters. This is commonly achieved using the 3-2-1-1-0 strategy, robust security, segregation from the primary environment, immutability, and in-backup malware detection to support safe recovery.
Advanced protection and accelerated recovery
Depending on the amount of data, it can be difficult to achieve an acceptable RPO (Recovery Point Objective) and RTO (Recovery Time Objective) through backup and recovery alone. Therefore, the next layer aims to minimize recovery time by protecting data close to its origin and enabling faster and more efficient recovery with an RPO and RTO beyond what traditional backups alone can achieve. The goal is to restore operations as soon as possible.
Cyber vault and recovery
For organizations operating in highly regulated or critical sectors, the previous layers may not be sufficient. In such cases, a cyber vault provides an independent recovery path. This vault is logically and physically separated (air-gapped) from the customer environment and contains dedicated, malware-checked backup data. We view it as a Minimum Viable Company: the essential infrastructure required to recover from even the worst-case cyber incidents.
The true challenge lies not in implementing these individual layers, but in designing the optimal combination for each customer, and in determining which workloads are best suited to each layer. This depends on the customer’s IT environment, regulatory requirements, and business priorities.
Cegeka approaches cyber recovery using these four layers not as a one-off project but as a continuous journey. This journey improves maturity and reduces uncertainty with each iteration, building and refining capabilities over time to evolve with the organization.
Going on this cyber recovery journey with us provides organizations with the insights needed to develop their cyber recovery plan. Confidence in this plan comes from iterating, testing, and validating. In a follow-up blog post, we will take a closer look at the individual steps of the cyber recovery journey, exploring how they contribute to building a comprehensive, testable recovery capability.