Choose yourself: from DORA (EU) and NIST (USA) to PDPA (Singapore) and APP (Australia), regulatory pressure on companies around the world is increasing. Regulators, insurers and customers not only want to know that their business is protected, but they also want to be shown the journey of their data, controls and shown, with clean records, how their business is going to get back on track.
This is the shift towards resilience based on explainability. Fast and reliable recovery, with traceability and auditability built into every step. Organizations must map data resilience strategies from a compliance perspective, ensuring that the digital footprint of their data management processes withstands scrutiny.
Business first, regulatory compliance always
Data outages and cyberattacks are unavoidable business risks that must be monitored and reported with robust systems in place. The Veeam Data Resilience Maturity Model (DRMM), developed in collaboration with McKinsey and MIT, recommends integrating business strategy, people, processes and technology to reduce risk, accelerate recovery and strengthen long-term resilience.
Data resilience based on explainability, the glue that binds these elements, must become standardized at the level of audited financial statements, meeting metrics for key stakeholders that include:
- Investor Confidence: Transparent and tested recovery plans reduce perceived operational and financial risk.
- Reputation protection: Fast and reliable recovery to ensure the strength of the brand.
- Leadership Responsibility: responsibility for the state of evidence-based resilience.
- Reduction of fines and insurance costs: Transparent and auditable controls that reduce exposure to regulatory non-compliance and security premiums.
Regulatory advancement is outpacing compliance readiness
Across the Asia region, the regulatory push is undeniable. He Singapore shared responsibility framework holds financial institutions and telecommunications companies responsible for mitigating the phishing and requires them to compensate victims of scams when they fail to comply with their obligations.
In Australia, enforcement of data protection regulations has been stepped up and companies face penalties of up to 50 million Australian dollars (more than 27 million euros) due to data leaks. In other parts of India, although the implementation rules of the Digital Personal Data Protection Act (DPDP) are still pending, the assigned penalties could reach up to 250 million Indian rupees (more than 27 million euros).
Meanwhile, the japanese companies have expressed concern about the administrative fines imposed on companies that commit serious violations. While regulatory approaches are not yet standardized, the long-term message is clear: companies must get their data resilience systems in order.
However, it is a reality that organizations are not prepared. According to the Veeam Data Resilience Maturity Model (DRMM) report30% of CIOs overestimate their data resilience, and less than 10% exceed the average. 74% of organizations are at the basic and intermediate levels, with significant opportunities for improvement. Additionally, 13% of respondents to Veeam’s 2024 Data Protection Enterprise Buyer’s Guide did not have a disaster recovery plan or had never tried it; 28% tried it only once a year and only 27% more than twice a year.
Incorporate data resilience with explainability
Imagine data resilience as the foundation of an enterprise structure, with explainability as its built-in dashboard. At Veeam, we believe that a four-step approach provides the key to success:
1 Map, label and trace data flows:
Let’s start with the question that most teams avoid: do we really know the data we have? The result should be a comprehensive inventory of business-critical services and data flows across physical, virtual, cloud, and backup environments. A standardized data classification policy should be adopted that includes sensitivity labeling, associated controls, handling guidelines, and recovery sequence. Imagine the result as a multi-level map that is easily understandable for humans and automated for machines.
2 Develop a data management center
Once the data classification map is developed, a data management center such as the one offered by Securiti AI is recommended. Integrating data security posture management with data intelligence platforms like Veeam Data Platform v13 allows teams to track lineage and validate policy enforcement across environments: production, SaaS, cloud, endpoints, and backups. Organizations benefit from complete visibility and control over their entire data estate.
3 Test and audit periodically
Regular testing and auditing of data resilience strategies strengthens the company’s ability for rapid response and recovery in times of crisis. This involves scheduling automated tests several times a year, ensuring offline, isolated, and unalterable copies. Only then will restoration, developing execution manuals for each critical service, and documenting the results for an auditable trail become standard protocols.
4 Evidence
Make it easy for decision makers with a single dashboard that has complete visibility into key metrics, including protected asset coverage, backup and immutability success rates, drill frequency and pass rate, recovery readiness, and compliance status with links to support.
According to the DRMM framework, high-performing companies score highly on a number of business metrics, including seven times faster recovery speed (MTTR), three times lower downtime (RTO), four times lower data loss (RPO), and about 10% higher average revenue growth rate.
Make data resilience understandable and compliance-ready
While data protection requirements vary by market, regulators’ demands converge around similar themes: availability, traceability and accountability. For multinational companies, the goal should be a global, harmonized resilience monitoring system, with explainability built in. Create a single system, plan for the most stringent regulations, integrate local evidence requirements, and stay audit-ready across all markets. As business opportunities emerge and change, rapid turnaround and broad compliance-ready coverage will become strategic differentiators.
Take the next step
So ask your team if they can explain each copy of critical data. Are there offline, isolated, unalterable copies for critical business services? Can we prove it? What was the last automated recovery test for each one and how did it go? If tomorrow we had to report to the board of directors or a regulatory body, could we clearly show the data flow, controls and recovery manual? If the answers do not flow easily, the lack of explainability is a clear sign of combined risks: operational, commercial, reputational and regulatory.
The good news is that Veeam’s suite of data and AI solutions provides the building blocks that integrate business intelligence, data protection, backup, testing and recovery into organizations of any size. It just requires a mindset shift to embrace explainability, data resilience, and compliance as a unified core capability.
By Rick Vanover, VP of Product Strategy at Veeam Software
