Scanners stop beeping, cash registers fall silent, doors remain locked. What usually runs around the clock came to a sudden halt at German food retailer Edeka in May 2024. In hundreds of stores across the country, customers couldn’t shop, and employees couldn’t access systems. Even supply chains were disrupted. The cause? An IT failure at a service provider responsible for central systems in the company. It wasn’t until the following day that operations normalized. Breakdowns like this one reveal how IT issues can have wide-reaching effects, and just how co-dependent business models and IT systems have become.
Whether outages are caused by cyberattacks, extreme weather, or technical glitches, what was once considered purely a business risk now has regulatory implications. The European Union (EU) has revised the Directive on Network and Information Systems, known as NIS2. Its goals are to strengthen the resilience of IT within the digital single market and to make business processes more robust overall. In serious cases, not only can damages be high, but fines can be severe – up to €10 million or 2% of global annual revenue, whichever is higher. NIS2 also obliges executive bodies to actively manage and monitor cybersecurity, with exclusion of personal liability not guaranteed.
NIS2 is both a mandate and an opportunity. The revised directive expands requirements to a significantly larger number of companies – around 150,000 across Europe – and sets higher standards for IT security. That means companies that previously had little or no engagement with such regulations will now likely be affected. It also makes NIS2 a wake-up call. It’s time to counter IT threats scrupulously, and to recognize business continuity management as an effective preventive tool to mitigate damage.
Develop, test, and dynamically adapt recovery strategies
From e-commerce to industry to logistics, those who want to keep their operations running during a crisis must analyze risks systematically. Processes, systems, and their dependencies need to be scrutinized. Which functions are critical? How long can they be down before substantial damage occurs? What measures can prevent worse outcomes? A backup and disaster recovery strategy is just as essential as emergency plans to manage crisis processes methodically. What’s also important is that once a recovery strategy is developed, it must be regularly tested and updated. Business continuity is not static – it’s a dynamic concept that must adapt to new technologies, threat scenarios, and business models.
Networks in focus: Small errors cascade into major problems
Exchanging data, using cloud services, connecting offices, factories, and locations – connectivity plays a key role in business risk. In a fully digitalized world, networks are a central ingredient that turn data and AI into smart services. Smoothly functioning networks are often taken for granted, like water or electricity. The historic blackout in Southern Europe in late April 2025 illustrates the dangers. First, it shows how dependent society and the economy are on energy – with estimated damages in Spain alone around $5.2 billion. Second, it highlights how small errors in interconnected systems can quickly escalate into major problems. And the same applies to IT: A severed network cable can have massive consequences.
Securing data exchange through redundancy
Whether fiber optics, mobile networks, or satellite, those securing their networks rely on redundancy. Under NIS2, companies are well advised to design their digital infrastructure with fallback options. In practice, this means not relying on a single provider or location, but distributing risks and implementing multi-vendor strategies. If one provider fails, another can take over, even if a service provider ceases operations due to organizational reasons like insolvency. Connecting networks directly to Internet Exchanges (or IXs) further reduces the risk of outages. By supplementing traditional transit connections with peering, companies become less dependent on individual Internet providers and ensure that critical services remain available during disruptions.
Beyond technical and organizational redundancy, it’s also important to consider the physical distribution of infrastructure. Data centers and network paths should be spatially separated and operated independently. If IT systems are geo-redundant, one resource can substitute for another. For example, Germany’s financial supervisory authority mandates minimum distances between data centers to ensure business continuity in the banking sector.
As digital processes become increasingly vital to value creation, business continuity becomes more important – regardless of legal requirements like NIS2. Ultimately, prudent and thoughtful behavior is recommended for every entrepreneur who responsibly steers their organization. Outages can never be completely prevented, but with proper preparation, they can be systematically mitigated and their impact minimized.
Dr. Thomas King
Dr. Thomas King has been CTO at DE-CIX since 2018 and a Board Member since 2022 where he has driven the company’s technological leadership. Previously CIO, he advanced DE-CIX’s cloud neutrality, high-bandwidth access, security solutions, and service automation through innovations like patch robots and the DE-CIX API. He has also led the technical rollout of DE-CIX’s global expansion across North America, Europe, the Middle East, India, Southeast Asia, and Africa.
