For most of the past decade, storage was the last thing on a compliance team’s mind. You had a SIEM. You had endpoint detection. You had a firewall policy and an access management framework. Storage was infrastructure — something IT owned, something that worked in the background, something compliance reviewed once during an audit and forgot about until the next one. That is no longer where the conversation ends.
NIS-2 came into force across the EU in October 2024. DORA applied to the financial sector from January 2025. The Critical Entities Resilience Directive extended the obligation to physical and operational continuity. In Germany, KRITIS sets some of the strictest critical infrastructure protection requirements in Europe — predating NIS-2 and running alongside it for organizations operating in the German market. In the US, CIRCIA is reshaping what critical infrastructure operators must demonstrate when a significant cyber incident occurs. These frameworks have one thing in common that is easy to miss if you are reading the headline summaries: they are not asking whether you have security tools. They are asking whether you can prove your data is recoverable, and whether you can prove it was not tampered with. That is a storage question.
Why the Storage Layer Keeps Getting Skipped
The gap is understandable. Compliance programs were built around the tools that generated logs — firewalls, identity platforms, endpoint agents. Storage systems, historically, were not primary log sources. They were not in scope for penetration testing. They were not the subject of tabletop exercises. The assumption was: if the rest of the controls hold, storage will be fine.
Ransomware changed that assumption permanently. The attack pattern that now concerns regulators most is not the one that exfiltrates data — it is the one that encrypts it, waits 30, 60, 90 days, and then detonates. By the time the encryption trigger fires, every backup in the standard window has a copy of the infection. The question that follows is not “do you have backups?” It is: “do you have recovery points that you can prove were not touched?”
That is a harder question. And most organizations discover they cannot answer it cleanly until an auditor asks.
What Regulators Are Actually Testing
Strip away the framework-specific language and the technical annexes, and the compliance question that keeps surfacing across NIS-2, DORA, CER, and CIRCIA resolves into three things:
Can you recover? Not “do you have backups” — can you demonstrate, under test conditions, a defined recovery time and point objective for your critical systems? Is that capability documented, tested, and evidenced?
Is your recovery data clean? If an attacker had elevated access to your environment for 60 days, how do you know the recovery points you are relying on were not modified? What is the verification mechanism? Who controls it — and critically, could a compromised admin account have touched it?
Who did what, and when? When an incident occurs and investigation begins, regulators expect an audit trail that attributes every configuration change, every access event, every policy modification to an identity and a timestamp. Not a general log — a specific, continuous, tamper-evident record.
These three questions land squarely on the storage infrastructure. Not on the perimeter. Not on the endpoint. On the layer where the data actually lives.
The Honest Assessment Most Organizations Haven’t Done
The compliance gap in storage is not usually a technology gap; it is an evidence gap. The technology to address these questions exists. What most organizations are missing is the posture: the combination of controls that works together, that is consistently applied, and that produces documentable proof rather than a verbal assurance.
Consider what “we have backups” actually means under scrutiny. It means there are scheduled backup jobs. It does not mean those backups are isolated from the attack surface. It does not mean the data has not been modified. It does not mean recovery has been tested recently. It does not mean there is a cryptographic proof of integrity that can be handed to an auditor.
The gap between “we have backups” and “we can demonstrate tamper-proof, verifiable recovery capability” is where most organizations currently sit. And for regulated entities operating under NIS-2, DORA, or CIRCIA, that gap is increasingly the gap between passing an audit and failing one.
What a Compliance-Ready Storage Posture Actually Looks Like
It is worth being specific; not about products, but about outcomes. A storage environment that satisfies the questions above has a few identifiable properties.
Recovery points like snapshots are immutable. Not locked by convention or policy — locked at the infrastructure layer, with cryptographic verification that the data has not changed since it was written. The integrity check does not require trusting an administrator. It requires trusting a hash.
Protection is continuous, not periodic. Backup windows create gaps. A ransomware attack that occurs at 11:50pm against a midnight backup schedule has nearly 24 hours of unprotected writes. Continuous data protection — recording every write in real time — closes that window. Recovery is not to the last backup; it is to the moment before the attack.
Access is governed and auditable. Every administrative action at the storage layer is attributed to an identity and timestamped. The audit trail is not an afterthought — it is a first-class output of the storage system, produced automatically, and queryable on demand.
Resilience is measured, not assumed. The question “how resilient is your storage?” should not be answered with a description of your architecture. It should be answered with a number, a methodology, and a timestamp. Organizations that have moved toward a quantified resilience posture — knowing their score, knowing what changes it, and knowing how it maps to their regulatory obligations — are in a fundamentally different compliance conversation than those who are still relying on architectural diagrams.
The Window That Is Closing
NIS-2 enforcement is already active. DORA began applying in January 2025. Regulators are not waiting for organizations to get comfortable with the frameworks before they start asking questions.
The organizations that will handle audit scrutiny best are not the ones that rushed to deploy a compliance tool in the weeks before an assessment. They are the ones that built the posture: the immutability, the continuity, the access governance, the audit trail — as properties of their infrastructure, not as additions bolted on at the last minute.
Storage has always been where the data lives. It is now also where compliance evidence lives. The question is whether your storage infrastructure is ready to produce it.
DataCore SANsymphony: Built for the Audit, Not Just the Architecture
Most storage platforms were designed before compliance was a storage conversation. The controls regulators now demand were retrofitted later, if they exist at all.
DataCore SANsymphony is different. It delivers immutable, cryptographically verifiable recovery points, continuous data protection, and a live cyber resiliency rating that gives auditors a quantified, documentable answer to the resilience question; not an architecture diagram.
For organizations operating under NIS-2, DORA, CER, or CIRCIA, this matters because compliance evidence has to be available when scrutiny arrives. SANsymphony helps make that evidence part of the infrastructure itself, turning storage into a source of demonstrable resilience rather than a system compliance teams have to explain after the fact.
