Mind the Gap: Why NIS2 Business Readiness Requires Operational Email Continuity
NIS2 email continuity is like plumbing – when it’s working you never give it a second thought, but when it’s not, you notice very quickly. The NIS2 regulation raises the bar for cyber resilience and business continuity, and as we’ve shown in our blog before: having your data safely backed up is not the same as operational continuity.
Most businesses have learned (sometimes through serious IT disasters) that backing up your data is an absolute requirement, even in today’s cloudy world. However, the gap between “I have a copy of my data in a safe place” and “Exchange Online is down and the business impact is mounting” is something many businesses haven’t considered.
Prevention is good, but if you’re relying on a public cloud service provider, like Microsoft 365, for email services, apart from configuration mistakes on your part, there’s often precious little you can do – you must rely on Microsoft to have done the preparation.
Recovery is of course required and having verified backups of your data will help, and again you’re often in the service providers’ hands as to when the recovery will happen, but it’s the gap in-between where your business operations suffer.
It’s not only a reality when an outage occurs, but various regulations, including NIS2 demands an answer to the question – “can you prove that your continuity works”?
Why NIS2 email continuity Changes the Conversation
At its core, NIS2 raises expectations for cybersecurity risk management, business continuity and also ties these outcomes to boards and executives personally. This makes sense, thinking that email outages and their impact is an IT only function is misguided. Cybersecurity resilience, and business continuity (due to malicious attacks or “normal” outages) are tied to business risks and should be treated like any other risk.
Questions like – “what would be the financial impact of this supplier is unable to provide these items we need”? Or “what happens if severe weather stops these workers from coming to work for two days”? These are business risks and mitigations and plans for them should be treated exactly the same as “what happens if email is down for X hours”?
Like all risks, working through a calculation for likelihood and financial impact per hour will give you an insight into what kind of resources you should spend to eliminate, manage or mitigate the risk.
Documentation Is Not Continuity
Many businesses have policies and recovery plans (because regulations demand them) sitting in SharePoint sites which may also be unavailable during an outage. But even if the plan is on hand, a plan is only as good as the training of the people actually implementing it.
In other words, true resiliency comes from staff being familiar with the plan, having regularly trained and practiced it, and being able to do it confidently when the time comes. Just like we practice fire evacuations regularly, because it greatly improves outcomes if there is a real fire, resiliency must be regularly trained.
The Auditor’s Real Question
Scenario: email is down – no one is sending or receiving anything. It’ll take time to establish the extent (one branch office, the whole business?) and verify the outage through Microsoft’s channels. Now it’s time to implement your business continuity plan.
And this is the question the auditor will ask – can you prove that your continuity plan works? Not “I have a plan”, but do you have one that will work – what’s your proof? Have you simulated and tested it? Having this evidence will be crucial during an audit.
The Email Continuity Gap Most Businesses Overlook
The gap between the outage starting, your IT staff narrowing down the cause amongst the many candidates (cybersecurity / Distributed Denial of Service (DDOS) / ransomware attacks, network outage, DNS issue, identity / Entra ID service issue or Exchange Online problem), tracking updates from Microsoft, communicating with leadership and users and actually recovering fully is the business risk.
Yes, you have backups that you can restore but none of that improves the situation right now for staff who can’t process customer requests or orders, or any others of the myriad email-based workflows in your business. This is the gap that costs money for the business.
Why Backup and Disaster Recovery Do Not Solve Live Communication Failure
Recovery is one side of the coin, continuity another. Imagine this – you run your email infrastructure completely on-premises, like we all used to, long ago. And then a natural disaster strikes and takes out your main data center.
All the servers completely destroyed. OK, now you take your backups (stored offline), bring up new servers and do the full configuration to bring them back online from backup. But during all that time – what do you provide to the business so that they can continue to function, albeit with some limitations? That’s continuity.
Fortunately, Microsoft has built geographical redundancy into the very fabric of Microsoft 365, and your inboxes are stored with several copies, including ones in separate geographical regions.
Failover is automatic and thus should take less time than if you had to do it all yourself, but you still need to provide continuity to the business during the outage.
The Business Cost of an Email Outage
This isn’t a theoretical risk – Microsoft 365 had a 19 hour long Exchange Online and Outlook disruption in July 2025, and the first quarter of 2026 recorded the lowest Microsoft 365 uptime ever, 99.526%.
Because email has been the foundation for business communications for decades at this point, most businesses rely heavily on it, without having made conscious plans to do so. It’s not until it’s suddenly not working, with no idea how long the outage is going to last that the impact is felt.
Support queues fill up with requests, prospects aren’t sent the information they requested, sales prospects expecting quotes get bounced emails instead (not a good look) and depending on the length of the downtime, this can be disaster for a business.
Cybersecurity Report 2026
The AI-Driven Acceleration of Global Threats
How Hornetsecurity Continuity Service Closes the Gap
These inevitable email outages don’t have to lead to a gap for your business – the bridge that spans the chasm is Hornetsecurity’s Email Continuity Service.
It automatically takes over within seconds when there’s an outage, lets you see existing saved email messages via an Outlook plugin, gives you continuous access to emails through a web interface or via a POP3 mailbox, and stores mail traffic which is synchronized behind the scenes.
Security Does Not Stop During Failover
Another worry organizations have is that during an outage or when under cyber-attack, corners are cut when under pressure, and decisions are made that could further compromise the organization. With Email Continuity Service that’s not the case, spam and malware protection for emails continue to work just as before.
Continuity as Audit-Ready Evidence
This isn’t just a technical add-on, Email Continuity Service is your ace up your sleeve when NIS2 auditors are evaluating your business resilience, letting you demonstrate a practical response to the (almost) inevitable email outage in your future.
Why This Matters for Partners and Existing Customers
If you’re a Managed Service Provider (MSP) this is a great story to share with your clients. With Hornetsecurity’s comprehensive solutions, including 365 Total Protection you’re not only providing market leading email protection and backup of Microsoft 365 data, but you’re also mitigating a very real business risk through Email Continuity Service.
A Stronger NIS2 Conversation for Sales
Regulatory frameworks such as NIS2 are often seen as “tick box exercises”, rather than the impetus for improving business resiliency overall. Given the size and possibility of the fines, partners should take a proactive approach and tell a differentiated continuity story, based on email continuity planning for NIS2 rather than just focusing on compliance.
Strategic Upsell with Clear Business Value
MSPs have several different avenues to show real value to their clients – technical excellence, understanding of the client’s business and thus providing the right solutions for each of them, guiding clients through emerging technologies (such as AI agents) but none have such a lasting impact as providing a safety net during a potentially stressful situation.
If a client’s competitors are struggling with hours long email outages and you can demonstrate easy continuity and minimal impact on business processes, you’ll be hailed as the heroes that saved the day.
Close the NIS2 Continuity Gap
NIS2 business resilience is no longer measured by what sits in a binder or a SharePoint folder. It is measured by what your organization can keep doing when systems fail.
Despite Microsoft’s SLAs and the resilience engineered into cloud services, outages can still happen, and email downtime does not have to become business interruption if the right continuity measures are in place.
Hornetsecurity Email Continuity Service helps maintain secure email communication during outages, strengthen your continuity posture, and support audit-ready operational evidence.
Ready to turn your continuity plan into continuity in action? Discover how Hornetsecurity Email Continuity Service helps you protect communication, reduce outage impact, and close the gap before an auditor — or an outage — finds it first.
FAQ
What is email continuity and why is it important under NIS2 regulations?
Email continuity ensures business operations can continue during outages. Under NIS2, it raises expectations for cyber resilience, linking email downtime to overall business risks that executives must address.
What do auditors look for regarding email continuity?
Auditors will ask for proof that your continuity plan works, not just if you have one. Evidence of simulations and tests is crucial for demonstrating operational resilience.
What should companies consider to prepare for email outages?
Companies should conduct risk assessments, regularly train staff on continuity plans, and implement services such as Hornetsecurity’s Email Continuity Service to mitigate the impact of email outages on business operations.
