Managed backup vs. backup platform:
how internal IT should choose

Why backup is back at the centre

For years backup was treated as background activity: a nightly job that runs, a retention that rolls over, a report no one really reads. Over the last two years three forces have pushed backup back to the centre of security priorities: a wave of ransomware attacks deliberately targeting backups, the entry into force of the NIS2 Directive with explicit requirements on business continuity and crisis management (article 21 of Italian Legislative Decree 138 of 4 September 2024), and the evolution of ISO/IEC 27001:2022 which promoted backup to a dedicated control — A.8.13 «Information backup» — paired with A.5.30 «ICT readiness for business continuity».

In this context, internal IT departments are facing a question that was marginal until recently: do we want to keep operating the backup platform in-house, or is it better to outsource the full service? And if the answer is «a bit of both», what operating model do we adopt?

Managed backup (SaaS): who does what

In the SaaS model the provider delivers backup as an end-to-end service. The customer does not see the console, does not operate the policies, does not run the tests: they define what to protect and how long to retain it, and they receive periodic reports and a dedicated technical contact. It is the model closest to the «zero hassle» experience required by companies without a structured IT department.

• ✓Delegated operations. Jobs, retention, monitoring, scheduled recovery tests and exception handling sit with the provider. The client signs policies and receives evidence; they do not operate the platform.
• ✓Compliance documentation ready. The provider maintains the documentation required for an ISO 27001, NIS2 or GDPR audit: recovery-test register, platform access logs, evidence of backup immutability.
• ✓Cost predictability. Flat or variable fee per protected GB / protected user. No hidden infrastructure costs, no sysadmin skills to retain internally.
• ⚠Less operational control. Policy changes go through the provider: the company gains peace of mind but loses the granularity that an IT team wanting to intervene in real time would want.

Backup platform (PaaS): what we deliver

In the PaaS — Platform as a Service — model the provider delivers infrastructure only. The client's internal IT team becomes the operator of the platform: they define jobs, retention policies, schedules, they handle alerts and they execute restores when needed. The provider guarantees the underlying infrastructure properties, software upgrades of the management layer and the physical and logical security of the data centres.

• ✓Immutable repositories in the EU. Object-lock / WORM storage in European data centres, encryption at rest and in transit, geo-redundant replication. No ransomware can encrypt or delete the backups, not even with compromised administrative credentials.
• ✓Management console and audit log. Full multi-user admin console with a detailed audit log of who did what. The IT team sees in real time the status of every job, the retention applied, the failure alerts.
• ✓Full operational control. The IT team decides when and how to change policies, performs restores autonomously without opening a ticket, and integrates the platform with their own ticketing, SIEM and monitoring systems.
• ⚠Internal operational responsibility. Initial configuration, recovery tests, retention management, compliance audits, staff training: it all stays with the client's IT team. The value of PaaS depends on the operational discipline of who runs it.

Five questions to decide

There is no «best» model in absolute terms: it depends on the organisation's setup and technology. The five questions we put to clients to guide the decision are operational, not academic.

• 1Do you have an IT team with dedicated sysadmin and DBA skills? Without these skills in-house, PaaS is a risk: no one will update the configuration when a workload changes, no one will run the recovery tests required by NIS2 and ISO 27001.
• 2Is backup «something we have to do» or a strategic asset? If it's a strategic asset — provider of critical services to third parties, regulated data, NIS2 sectors — direct control via PaaS can help during audits. If it's a «just make it work» topic, managed SaaS drastically reduces the operational overhead.
• 3Which workloads do you need to protect? Servers, VMs, databases, Microsoft 365, endpoints, legacy applications: an honest assessment almost always shows that some workloads are naturally «managed» (Microsoft 365, distributed endpoints) and others are «platform» (critical VMs with tight SLAs, high-change databases).
• 4How much are you willing to invest in internal training? PaaS requires ongoing training of the IT team on the platform, on new workloads, on structured recovery testing. If staff are already stretched on other priorities, the PaaS option risks turning into an underused platform.
• 5What are your compliance and data-sovereignty constraints? Regulated sectors with explicit constraints on data residency, who can access backups and minimum retention periods: the platform must demonstrate documented compliance (EU data centres, provider certifications), but the contractual split of responsibility remains to be defined. Operational comparison SaaS / PaaS.

The hybrid model is the real one

In practice, very few companies adopt a «pure» model. The distribution we see most often in our projects — especially in SMEs with an in-house IT team — is hybrid. The IT team autonomously manages backup of the workloads they know inside out (physical servers, VMware or Hyper-V VMs, SQL Server or PostgreSQL databases) on the PaaS platform, while delegating to AtWorkStudio the workloads that require specific skills or continuous operational effort (Microsoft 365 backup, backup of distributed endpoints, orchestrated disaster recovery for critical workloads).

The underlying platform is the same: what changes is who operates the console and who signs the recovery plan for each perimeter. From the client's point of view it is one architecture, one data residency, one audit surface.

Compliance: NIS2, ISO 27001 and DORA

The most relevant compliance requirements for backup in Italian SMEs are three. The NIS2 Directive (article 21 of Italian Legislative Decree 138/2024) explicitly requires business-continuity and crisis-management policies, of which backup is a structural component. ISO/IEC 27001:2022 promoted backup to a dedicated control A.8.13 «Information backup» paired with A.5.30 «ICT readiness for business continuity». DORA (EU Regulation 2022/2554) imposes, for the financial sector, documented recovery tests and the ability to measure restart capability in realistic disruption scenarios.

In all three cases, the delivery model (SaaS or PaaS) is neutral: both can demonstrate compliance. What changes is the documented split of responsibility in the service contract (SLA, audit trail, evidence access, test plan) — a specification that is better written before signing, not after the first incident.

How AtWorkStudio delivers backup

At AtWorkStudio we deliver backup and disaster recovery in both models, on the same underlying platform with EU data residency, immutable repositories, AES-256 encryption at rest and in transit, audit log and multi-region replication. We operate from Piacenza, we are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, qualified by ACN (Italian National Cybersecurity Agency) for the cloud SaaS service of Microsoft 365 backup (SA-7583), members of Clusit (Italian Association for Information Security) and members of Confindustria Piacenza in the RICT cluster (Research, Innovation and Skills in Information Technology).