Microsoft 365, Backups and NIS2

Microsoft 365 has quietly become mission-critical infrastructure for many organizations.
For most organizations, if M365 is down or data is gone, work stops as they rely on it for Emails, files, collaboration and identity management. And yet, one assumption keeps showing up in discussions with senior leadership:

“Our data is in Microsoft 365 — Microsoft must be backing it up.”

That assumption is wrong. And under NIS2, it’s more than a misunderstanding — it’s a real risk.

The Shared Responsibility Model

Microsoft operates M365 under a shared responsibility model. In simple terms, Customers themselves are responsible for

• Their data

• Backup and restore

• Retention decisions

• Recovery from deletion, corruption, ransomware, or insider actions

What many organizations don’t realize until it’s too late: Microsoft does not provide customer-controlled, point-in-time backups for Microsoft 365 data by default.

This applies to:

• Exchange Online

• SharePoint Online

• OneDrive for Business

• Microsoft Teams

Retention policies are not backups. Once data falls outside retention or is overwritten or corrupted, recovery options are extremely limited or nonexistent.

Why This Becomes a Problem Under NIS2

NIS2 shifts cybersecurity from a purely technical topic to a management accountability issue. It explicitly requires organizations to take responsibility for risk management, resilience, and recovery. Microsoft’s agreements clearly limit liability and place data protection obligations on the customer. In a post-incident or regulatory review, “we assumed Microsoft handled backups” will not be accepted as a justification.And assumptions don’t stand up in audits.

Across NIS2 readiness discussions, the companies should be mindful of the following gaps:

• No dedicated M365 backup solution

• No defined restore ownership

• No recovery testing

• Retention policies mistaken for backups

• “We’ll deal with it if something happens”

The Bottom Line

Microsoft 365 is reliable. But availability of a platform is not the same as protection of your data.

Under NIS2:

• Backup responsibility cannot be outsourced by assumption

• Data loss becomes a management issue, not just an IT one

• “We didn’t know” is not a defensible position

If your organization cannot confidently answer:

“How quickly can we restore our Microsoft 365 data after a destructive incident?”

Then there is a silent NIS2 risk already in place. Understanding the Microsoft 365 shared responsibility model — and acting on it — is one of the simplest steps organizations can take to reduce both operational risk and regulatory exposure.