Cyber Essentials Plus Backup Requirements

Topics on this page

Achieving Cyber Essentials Plus certification demonstrates a strong commitment to cyber security for UK organisations. Although the scheme's five technical controls do not explicitly mandate data backups, the National Cyber Security Centre (NCSC) strongly advises them as best practice for resilience. A robust backup strategy is your single most effective defence against data loss from hardware failure or a ransomware attack. This guide provides a clear path to understanding the Cyber Essentials Plus backup requirements, helping you build a modern, compliant, and sovereign data protection framework that ensures business continuity and aligns with emerging UK regulations.

Key Takeaways

While not a mandatory control, a robust backup strategy following the 3-2-1 rule is a highly recommended best practice for Cyber Essentials Plus resilience.
Using a sovereign cloud provider with UK/UK data centres is crucial for GDPR compliance and avoiding the legal risks of the US CLOUD Act.
Immutable backups with Object Lock are your most effective defence against ransomware, as they make your recovery data undeletable and unchangeable.

Clarify Core Backup Principles for Cyber Essentials

The Cyber Essentials scheme focuses on preventing the most common cyber attacks, which it achieves through five key technical controls. Backups are positioned as a crucial recovery measure, not a preventative one, hence their advisory status. However, for Cyber Essentials Plus, where a higher level of assurance is required, having a tested and reliable recovery plan is indispensable. The widely endorsed 3-2-1 rule provides a solid foundation: maintain at least three copies of your data on two different media, with at least one copy stored off-site. This off-site copy is your ultimate safeguard against a localised incident like a fire, flood, or a ransomware attack that compromises your entire network. Adopting this principle is the first step toward a truly resilient data posture.

Implement a Sovereign Strategy for UK Data Residency

Storing your off-site backup within the correct jurisdiction is a critical compliance consideration. For UK businesses, this means ensuring data residency that aligns with GDPR and avoids exposure to foreign laws like the US CLOUD Act. Storing data with a provider subject to US jurisdiction can create a legal conflict, where EU privacy protections are potentially overridden. Impossible Cloud addresses this directly by operating exclusively in certified European data centers, offering country-level geofencing to guarantee your data never leaves the UK or EU. This sovereign-by-design approach provides the legal certainty 75% of EU enterprises now demand. Explore our UK data residency solutions to learn more. This strategy ensures your backup plan fully supports your compliance obligations.

Defend Against Ransomware with Immutable Backups

Cyber criminals actively target backups to prevent recovery and increase their leverage for a ransom payment. A standard backup can be deleted or encrypted by attackers, rendering it useless when you need it most. The official guidance recommends using cloud services that save files as immutable versions. Impossible Cloud's Immutable Storage with Object Lock makes your backup data unchangeable and undeletable for a period you define. Here is how it works:

Once an object is locked, it cannot be altered or deleted by anyone-not even an administrator-until the retention period expires.
This creates a secure, air-gapped-style copy of your data that is impervious to ransomware encryption.
It provides a guaranteed clean recovery point, ensuring you can restore operations without paying a ransom.
This feature is a core component of a modern ransomware defence and disaster recovery plan.

This approach directly answers the need for a secure, off-site copy that can withstand a direct attack.

Future-Proof Your Strategy with UK NIS Regulations and Data Act Alignment

Compliance is not static, and UK businesses must anticipate upcoming regulations like the UK NIS Regulations and the Data Act. The UK NIS Regulations explicitly requires robust backup and disaster recovery capabilities to ensure business continuity for critical entities. A resilient, tested backup strategy is no longer just a best practice; it is becoming a legal requirement across Europe. Furthermore, the EU Data Act, which applies from September 2025, aims to eliminate vendor lock-in by phasing out data egress fees by 2027. Impossible Cloud's model of zero egress fees and zero API call costs already aligns with this principle. This predictable pricing ensures you can access your data for restores or migration without financial penalty, preserving your long-term freedom of action. This forward-looking approach simplifies your multi-layered compliance challenges.

Leverage S3 Compatibility for Seamless Integration

A compliant backup strategy should not require a complete overhaul of your existing IT operations. Impossible Cloud offers full S3-API compatibility, ensuring it works out-of-the-box with your current backup software and scripts. This protects your past investments in tools and training, minimizing migration risk by over 90%. Our platform integrates seamlessly with leading solutions, including our collaboration with Veeam backup software provider NovaBackup. This allows you to point your existing backup jobs to our sovereign cloud storage with only a few configuration changes. The underlying architecture is an "Always-Hot" object storage model, meaning all your data is immediately accessible without the restore delays or hidden fees associated with tiered storage systems. This simplifies operations and guarantees predictable performance when you need it most.

Follow a 5-Step Checklist for Compliant Backups

Use this practical checklist to ensure your backup strategy meets the resilience standards expected for Cyber Essentials Plus certification. A successful plan requires more than just 1 copy of your data. Here are five steps to follow:

Adopt the 3-2-1 Rule: Create three copies of your data, use two different types of media, and ensure at least one copy is stored in a secure, off-site location.
Ensure Data Sovereignty: Select a UK or UK-based cloud storage provider like Impossible Cloud to host your off-site copy, guaranteeing GDPR compliance and avoiding CLOUD Act entanglements.
Enable Immutability: Use Object Lock to make your off-site backups unchangeable for a defined retention period, protecting them from ransomware. This is a key part of immutable storage in the UK.
Test Your Restores Regularly: Schedule and perform regular tests to verify you can recover data from your backups successfully. An untested backup is not a reliable one.
Document Your Process: Keep clear records of your backup policies, procedures, and test results to present to auditors during your Cyber Essentials Plus assessment.

This structured approach transforms your backup system from a simple utility into a strategic asset for your cloud backup and security posture.

Partner with Experts for Resilient Cloud Backup

For Managed Service Providers (MSPs) and resellers, guiding clients through Cyber Essentials Plus offers a significant value-add. Impossible Cloud is partner-ready, offering a multi-tenant console, automation via API/CLI, and predictable margins thanks to our zero-egress-fee model. With distribution in the UK through Northamber plc, we provide local access and support for our channel partners. By building your Backup-as-a-Service (BaaS) offerings on a sovereign and resilient platform, you can deliver the compliance and security your clients need with a financial model that works for you. Our secure cloud backup in the UK is designed for the channel. This partnership ensures you can meet client demands with confidence.

FAQ

What are the main differences between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment certification against five core technical controls. Cyber Essentials Plus includes the same controls but requires a hands-on technical verification and audit by an independent, external certification body to provide a higher level of security assurance.

How does Impossible Cloud's pricing model benefit my backup strategy?

Impossible Cloud offers a transparent pricing model with no egress fees or API call costs. This is critical for a backup strategy, as it means you will never face unexpected, high charges when you need to restore large amounts of data during an emergency.

Is Impossible Cloud compatible with my existing backup software?

Yes. Impossible Cloud is fully S3 API compatible, which means it integrates seamlessly with virtually all modern backup and recovery software that supports S3 object storage as a target. This allows for a simple and fast migration.

What does 'Always-Hot' storage mean?

Always-Hot storage means all your data is stored in a single, high-performance tier and is immediately accessible at all times. This eliminates the complexity, delays, and potential extra costs associated with retrieving data from slower, cheaper 'cold' storage tiers, which is crucial for rapid disaster recovery.

How does this backup strategy help with the UK NIS Regulations?

The UK NIS Regulations mandates that affected organizations have robust business continuity and crisis management plans, including secure backups. A sovereign, immutable, and regularly tested backup strategy is a foundational component of meeting these strict compliance requirements.

Where are Impossible Cloud's data centers located?

Impossible Cloud operates exclusively in certified, secure data centers within Europe. We offer country-level geofencing, allowing you to restrict your data storage to specific regions, including the UK, to meet strict data residency and sovereignty requirements.

A Strategic Guide to Cyber Essentials Plus Backup Requirements for 2025

Thomas Demoor