faaleoleo · June 2026 · Business
Most organisations never think about what backup actually costs until the moment they discover what losing data actually costs. That moment arrives without warning, and it rarely arrives at a convenient time. This is a structured cost and risk analysis — for IT leaders, finance managers, and the people who sign off on infrastructure budgets — covering legal exposure, knowledge gaps, configuration effort, ongoing operational hours, and the hard arithmetic of why a functioning backup programme is almost always the cheapest line item in the technology budget.
Backup is typically classified as infrastructure overhead. It sits in the IT budget alongside power, cooling, and network hardware — necessary, unglamorous, reviewed only when the renewal invoice arrives. It does not generate revenue. It does not appear in product roadmaps. No one schedules a board presentation on backup health.
This classification error has consequences. When budget pressure arrives, infrastructure overhead is where organisations look first. Backup schedules are extended, storage tiers are downgraded, monitoring contracts are renegotiated away, and the number of people who understand how the backup environment actually works quietly decreases as team turnover is not replaced.
Everything appears fine until it is not. At that point — a ransomware attack, a hardware failure, a misconfigured migration, an accidental deletion of production data — the true cost of the decisions made in those budget reviews becomes visible all at once.
The legal landscape around data protection and business continuity has changed substantially in recent years. Backup is no longer just an operational best practice. For many organisations, it is a legal obligation — and the failure to maintain it is a liability.
The General Data Protection Regulation does not use the word "backup" extensively, but the obligations it creates make backup operationally mandatory for any organisation processing personal data. Article 32 requires "appropriate technical and organisational measures" to ensure the availability and resilience of processing systems, and to restore availability following a physical or technical incident. If personal data is lost because a backup programme did not exist, failed silently, or had not been tested, that is a breach of Article 32.
The consequences:
| Tier | Maximum fine |
|---|---|
| Lower tier violation (Article 32 failures) | €10,000,000 or 2% of global annual turnover |
| Upper tier violation (fundamental rights, principles) | €20,000,000 or 4% of global annual turnover |
Beyond fines, a data breach that results in personal data loss triggers mandatory notification to the supervisory authority within 72 hours, and in many cases to affected individuals directly. The reputational cost of a public breach notification frequently exceeds the regulatory fine.
The NIS2 Directive (EU 2022/2555), which became binding across EU member states in October 2024, names backup management explicitly in Article 21(1)(c) alongside disaster recovery and crisis management. For organisations in scope — essential entities and important entities across 18 covered sectors — maintaining a backup programme is not optional. The quality of that programme, including whether it has been tested and documented, is subject to review by national competent authorities.
Article 20 additionally creates personal liability for management. If an incident occurs and the investigation establishes that management failed to oversee the security programme — including its backup and recovery components — national authorities may issue public statements naming responsible individuals and temporarily prohibit them from holding management functions.
Beyond GDPR and NIS2, specific sectors carry additional data retention and recovery obligations:
If your organisation operates in a regulated sector and cannot demonstrate a functioning backup programme, you face legal exposure that is independent of whether you have actually experienced a loss event. The absence of the programme is itself the violation.
The most expensive component of backup is rarely hardware or software. It is the human knowledge required to configure, operate, and recover from a properly functioning enterprise backup environment. This knowledge is also the component that erodes most quietly.
Running a secure enterprise backup environment — one that actually meets modern compliance requirements — requires working knowledge across several distinct domains:
Most organisations have one or two people who understand their backup environment well. When those people leave — and they do leave — the knowledge leaves with them. The replacement hires into the role without the institutional context for why specific configuration choices were made, does not know where edge cases are documented (often they are not), and spends the first six months learning without a structured handover.
The backup environment continues to run. Jobs show green. No one tests a restore. The drift between what the configuration was designed to do and what it actually does accumulates slowly, invisible until it is not.
This is the most common failure pattern we encounter in new customer engagements. Not catastrophic misconfiguration from day one. Gradual degradation over two to four years, often following a staffing change.
The question of whether to staff backup expertise in-house or use external managed services is fundamentally a time and cost question. The table below reflects realistic estimates for an organisation with 100–500 client systems backing up to an enterprise backup solution. Adjust by scale.
| Task | In-house hours | External consultancy hours |
|---|---|---|
| Requirements analysis and scoping | 16–24 h | 8–12 h |
| Architecture design and documentation | 24–40 h | 12–20 h |
| Server provisioning and OS hardening | 16–24 h | 8–12 h |
| Backup software installation and initial configuration | 24–40 h | 12–16 h |
| Client deployment (per 10 clients) | 8–12 h | 4–6 h |
| Schedule, retention and pool design | 16–24 h | 8–12 h |
| Network segmentation and firewall configuration | 8–16 h | 4–8 h |
| Encryption configuration (at rest and in transit) | 8–12 h | 4–6 h |
| Monitoring integration | 12–20 h | 6–10 h |
| Initial restore testing and documentation | 16–24 h | 8–12 h |
| Compliance documentation (initial) | 16–24 h | 8–12 h |
| Total (100 clients) | 164–260 h | 82–126 h |
In-house hours represent elapsed time from an engineer with general Linux and infrastructure knowledge learning an enterprise backup platform while configuring it. External consultancy hours reflect an experienced specialist working from an established methodology. The ratio is roughly 2:1 — not because in-house engineers are less capable, but because knowledge that took years to acquire is being applied versus knowledge that is being built in real time.
At a blended internal engineer cost of €80–120/h (salary, employer costs, overhead), in-house initial configuration runs €13,000–31,000. At external consultancy rates of €150–220/h, the same configuration runs €12,000–28,000. The cost differential at this stage is modest — the consultancy advantage is primarily speed to production and the reduced risk of configuration errors.
This is where the long-term economics diverge sharply.
| Activity | In-house hours/year | External managed service |
|---|---|---|
| Daily monitoring and alert triage | 200–400 h | Included |
| Weekly health review | 50–100 h | Included |
| Monthly compliance reporting | 24–48 h | Included |
| Patch and software updates | 24–40 h | Included |
| Client additions and changes | 20–40 h | Included |
| Annual restore testing and documentation | 24–40 h | Included |
| Incident response (estimate: 2–4 incidents/year) | 40–120 h | Included |
| Compliance audit support | 16–32 h | Included |
| Knowledge maintenance (training, labs) | 40–80 h | Included |
| Total | 438–900 h/year | Fixed managed service fee |
At €80–120/h internal blended cost, annual in-house operations cost €35,000–108,000 in direct labour alone, before accounting for tooling, storage, and infrastructure. This figure is frequently invisible in budget discussions because it is distributed across salary lines and absorbed into general IT operational time — no one draws a circle around it and labels it "backup operations cost."
Monitoring backup operations is typically one of the first items negotiated down in budget discussions. The argument sounds reasonable: the jobs run automatically, failures generate alerts, the team will notice if something goes wrong. You do not need a dedicated monitoring contract.
The argument is wrong for three reasons.
Alert fatigue and noise tuning. A freshly configured backup environment produces alerts that require human judgement — is this warning a transient network blip or the start of a client configuration drift? Over time, if monitoring is not actively managed, alert thresholds are widened and certain failure classes are suppressed because they have been false positives in the past. By the time a real failure is happening, the alert it would have generated has been silenced.
The jobs-run fallacy. Job completion does not equal successful backup. A job can complete, show green in the dashboard, and have backed up zero bytes because the client filesystem was empty due to a misconfigured mount point. Effective monitoring goes beyond job status to track data volume trends, verify catalog consistency, and flag anomalous patterns — none of which is automatic.
Drift without observation. Without consistent monitoring, backup environments drift. Schedules that were designed to complete within a maintenance window start running long. Retention policies fill pools in unexpected ways. Client configurations change as servers are updated and nobody tells the backup team. Each individual change is small. The accumulated drift over 18 months is substantial.
The cost of proper monitoring, per year — whether in-house staff time or a managed service contract — is the cost of knowing that your backup is actually working rather than appearing to work.
The cost analysis above covers what you spend to have backup working. The more important analysis is what you pay when you do not — or when what you thought was working turns out not to be.
If data is lost and no usable backup exists, the alternatives are:
| Recovery method | Cost estimate | Success rate |
|---|---|---|
| Professional data recovery (spinning disk) | €500–5,000 per device | 60–80% |
| Professional data recovery (SSD/NVMe) | €1,000–8,000 per device | 40–70% |
| RAID recovery (complex failure) | €5,000–30,000 | Varies widely |
| Ransomware decryption (if decryptor exists) | €0 (decryptor) to €50,000+ (ransom) | 40–60% full recovery |
| Manual recreation from records | €10,000–200,000+ in staff time | Partial |
These figures are per-incident. A ransomware attack affecting 200 client systems does not produce one incident — it produces one incident per affected system, compressed into the worst week of the IT team's professional life.
Data recovery takes time. Professional recovery services operate on timescales of days to weeks, not hours. During that period, affected systems are unavailable. Depending on what those systems support, the business cost of unavailability can dwarf the cost of recovery itself.
Industry figures for unplanned downtime cost vary enormously by sector and organisation size, but the ranges are consistent in one respect: they are almost always larger than the annual cost of maintaining the backup infrastructure that would have prevented the downtime.
| Organisation type | Downtime cost estimate |
|---|---|
| Small business (10–50 employees) | €1,000–10,000 per hour |
| Mid-market (50–500 employees) | €10,000–100,000 per hour |
| Enterprise (500+ employees) | €100,000–1,000,000+ per hour |
A loss event that takes four days to recover from, affecting an organisation with 200 employees, is a financial event in the range of hundreds of thousands to low millions of euros — for a single incident.
If the lost data included personal data under GDPR scope, the incident triggers a mandatory breach notification process. The potential fine exposure was noted earlier. Add to that:
If the organisation is subject to NIS2 and the incident constitutes a significant incident affecting the availability of its services, the reporting and response obligations are mandatory and non-negotiable. Failure to report within 24 hours is itself a violation.
Every experienced IT professional has a version of this story, or has heard one from a colleague. The database is gone. The storage array failed overnight. The production file server was encrypted by ransomware at 03:00 on a Sunday morning. Someone in a different team deleted the wrong directory in a migration script. The SAN controller with the only volume snapshot failed before the backup completed.
The first question — always — is: what is the most recent clean backup?
If the answer is "I need to check" and the checking takes time that should be spent recovering, or if the answer is "we had backup jobs running but I am not sure when they last succeeded," or if the answer is "the backup server is on the same network segment that was encrypted," the situation becomes one of those defining moments in an IT career.
The professional who understood the risk in advance and invested in a proper programme starts the restore procedure. The professional who deferred the investment starts making calls — to vendors, to managers, to legal, to the data recovery lab — explaining why the answer to "what is the most recent backup?" is not a clean one.
The table below places the cost categories side by side for a medium-sized organisation over a five-year period.
| Cost category | In-house | Managed service |
|---|---|---|
| Initial configuration | €13,000–31,000 | €12,000–28,000 |
| Annual operations (×5 years) | €175,000–540,000 | Predictable fixed fee |
| Monitoring and compliance | Included above | Included in service |
| Knowledge risk (staff turnover) | High — re-training and gaps | Low — institutional knowledge in service |
| Legal exposure if backup fails | Full exposure | Shared responsibility with SLA |
| Cost of single serious loss event | €100,000–1,000,000+ | Substantially mitigated |
The managed service option does not eliminate cost — it converts unpredictable, large-magnitude risk into a predictable, manageable operating expense. That is the economics of insurance applied to infrastructure.
The risk analysis leads to a consistent conclusion: the cost of maintaining a properly functioning, monitored, and compliant backup programme is small relative to the cost of a single serious failure event. That single failure event — the one that data recovery services, legal counsel, regulatory investigations, and business downtime all converge on — has a realistic probability over any five-year period that most organisations are not comfortable acknowledging.
The mental model that treats backup as an overhead to be minimised is precisely backwards. Backup is risk management. The premium you pay for the programme is the premium you pay to not experience the loss event. Viewed in that frame, the question is not whether the backup programme is worth the cost. The question is whether you understand the cost of not having it.
The economics above are the reason faaleoleo exists. We started from the observation that most organisations do not have a backup problem — they have a backup knowledge and operational discipline problem. The technology is available and mature. What is consistently missing is the deep expertise to configure it correctly, the monitoring discipline to keep it working, and the compliance infrastructure to prove it to an auditor.
Every faaleoleo managed service deployment ships with OS-hardened servers, encrypted storage, configured monitoring, and compliance reporting built in. The initial configuration investment is addressed once, by people who have done it hundreds of times. The ongoing operational overhead is absorbed into the service. The knowledge risk — the single engineer who knew how the restore procedure worked and who just handed in notice — does not apply.
What remains is a predictable monthly cost, a documented and tested recovery capability, and the ability to answer the question "what is the most recent clean backup?" at any time of day, any day of the week, without making calls.
If you are in the process of evaluating backup options — whether initial deployment, a move from in-house to managed, or a compliance-driven review of an existing environment — we are happy to work through the numbers specific to your organisation. Reach us at contact@faaleoleo.io.