The NIS2 Directive and Its Consequences


On January 16, 2023, within the European Union, the Directive on measures for a high common level of cybersecurity, known as the NIS2 Directive, came into force. In shaping this directive, authors were guided by two main objectives: a higher level of security for critical infrastructure and digital services than before, and more effective protection against cyberattacks. Member states have until October 17, 2024, to implement this directive into their legal systems.

NIS2 in Poland. Who needs to prepare for the new regulations?

The NIS2 Directive imposes a series of obligations on EU member states aimed at ensuring an adequate level of protection for critical infrastructure owned by organizations in sectors such as energy, telecommunications, transportation, administration, healthcare, banking and insurance, as well as public utility companies. Entities operating in these sectors may act as either Key Digital Service Operators (KDSOs), providing services essential for the functioning of society and the economy, or Digital Service Providers (DSPs), offering digital services electronically upon the recipient's request for payment. Under the Directive and related local regulations, both groups of entities will have to meet higher cybersecurity requirements and protect their data collections, including personal data. This includes implementing and maintaining an effective risk management system, with Disaster Recovery systems being one of its elements. The obligations arising from NIS2 will also affect entities using various generations of SAP ERP systems, widely used across Europe by enterprises and organizations in the aforementioned sectors, making them particularly vulnerable to cyberattacks.

How to implement Disaster Recovery for SAP ECC or S/4HANA?

Implementing a Disaster Recovery plan for SAP ECC or S/4HANA is a complex process that requires specialized knowledge and experience. Companies can either implement a Disaster Recovery plan themselves or outsource this task to an external consulting firm. Regardless of how the plan is developed, the procedure for its creation should ALWAYS include the following steps:

Risk analysis: At this stage, we try to determine what random events may occur and their potential impact on the SAP system. This includes assessing the probability and magnitude of such events on critical business functions supported by the SAP system.

Identification of RPO and RTO goals: This stage involves determining two key Disaster Recovery indicators: RPO and RTO. The Recovery Point Objective (RPO) essentially answers the question: how much data loss can we accept, while the Recovery Time Objective (RTO) defines the maximum time in which the IT environment or its critical business functions must be restored to full functionality.

Technology and IT services: In this step, among various available solutions, we select technologies and services for backing up data and replicating SAP infrastructure that guarantee the required level of security and an acceptable cost level.

Testing and updates: Disaster Recovery plans and systems are not created once and for all. Establishing a schedule for testing the Disaster Recovery system, regular software updates, and security procedure updates will help avoid or at least minimize the risk of potential losses resulting from cyberattacks or data breaches.

Basic benefits of implementing a Disaster Recovery plan.

Implementing a DR plan for SAP S/4HANA systems is a necessary step for organizations aiming to ensure business continuity and data security in the face of increasing cyber threats. The NIS2 Directive sets clear requirements in this regard, making the implementation of a DR plan even more urgent. However, the need to develop and implement a Disaster Recovery plan is not just a form of insurance policy against events that may not necessarily affect every organization. A DR plan also offers a range of benefits, which should primarily drive the decision to implement such processes within an organization. The most important of these benefits include:

  • Increased resilience to cyberattacks.
  • Reduced risk of data loss in case of hardware failures or server failures where SAP is installed in production.
  • Minimization or even elimination of downtime resulting from the need to address the consequences of failures or attacks.
  • Increased trust from customers and partners.
  • Improvement of the organization's reputation.

Disaster Recovery for S/4HANA based on Google Cloud Platform solutions

In the previous paragraphs, when discussing the necessary elements of a Disaster Recovery plan, we talked about technological issues. For SAP system users, one option is to use solutions available within the Google Cloud Platform offering. Whether it's an SAP system installed in the customer's own environment or an S/4HANA system provided as part of the RISE with SAP offering, in both cases, we can provide an environment and configuration for Disaster Recovery servers on the Google Cloud Platform infrastructure, fully compliant with NIS2 requirements. Solutions could include:

  • Google Cloud Disaster Recovery for SAP - comprehensive Disaster Recovery solution for SAP S/4HANA systems on GCP.
  • Google Cloud VMware Engine - an environment for running VMware virtual machines on GCP.
  • Google Cloud Storage - a secure location for storing SAP data backups.

What are the benefits of implementing Disaster Recovery for SAP ECC or S/4HANA?

As mentioned earlier, a Disaster Recovery plan offers numerous benefits. How does this look when utilizing solutions available on the Google Cloud Platform (GCP)? When discussing benefits, we primarily consider features such as scalability and flexibility, high technical and cost availability, security, and ease of use. Additional advantages include:  

  • Access to Google's global infrastructure and Google server infrastructure in Poland, which may be significant for organizations wishing to maintain data within our country/European Union.
  • Access to the latest technologies and the opportunity to collaborate with Google experts.
  • Reduced carbon footprint: Google emphasizes environmentally friendly solutions, e.g., in terms of sourcing electrical energy from renewable sources.

In summary, implementing a Disaster Recovery system for SAP ECC or S/4HANA is an essential element in ensuring data security and business continuity for any organization utilizing these IT systems. It is also one of the foundations of Digital Transformation for enterprises.

Feel free to contact us - for various questions regarding NIS2, Disaster Recovery, backup policy, or adapting SAP systems to GDPR requirements, we can find answers together with you.