On European Data Protection Day, many decision-makers reflexively remember the usual recommended list of measures: Update policies, revise consent forms and train employees on security and resilience strategies. These steps are essential, but they are only the beginning. In 2026, managers at board level should also ask themselves the question: Can we demonstrate control over how we handle and protect personal information and maintain trust with our customers, partners and employees, even in crisis situations?

Crises occur for many reasons - identities are corrupted, configurations are set incorrectly, access is misused. In all of these cases, it is important that companies are prepared to deal with the consequences of these crises by protecting important data and digital identities and being able to restore them after an attack.

Duty of proof

The direction is clear across all industries: companies are being urged to substantiate their data protection plans. Even in the face of new threats: Gartner experts predict that by 2027, more than 40 percent of AI-related data breaches will be caused by improper cross-border use of generative artificial intelligence.

And companies are responding: IDC estimates that 85% of information products will contain a so-called Data Bill of Materials (DBoM) by 2028. This documents the collection, processing and cleansing of data and proves that consent has been obtained.

This increasingly clear burden of proof is also clearly reflected in Europe. Regulatory requirements such as the GDPR, NIS-2 and DORA demand this. For example, NIS-2 and DORA require companies to demonstrate appropriate technical and organizational measures for data access and risk management and to provide special protection for critical systems such as directory services. Who is allowed to access critical systems and which roles and privileges are assigned must be documented. Both sets of rules explicitly stipulate that administrator and service accounts must be protected separately and that the actions of such privileged identities must be logged separately.

The level of protection of this data within an organization depends on operational performance and not just on guidelines: How quickly and well can IT contain intrusions, validate the data and, if necessary, restore it securely?

Identity protection

Especially when it comes to confidentiality, data protection and resilience meet in their requirements. On the one hand, there is the business-critical need for the affected organization itself to restore any encrypted or corrupted data as quickly, cleanly and completely as possible. On the other hand, it is important to prevent the attack and access to digital identities, for example, in advance.

Because one thing is becoming increasingly clear: digitally compromised identities are the Achilles' heel of data protection. In cloud environments, they are often the fastest way to access sensitive data. Active Directory (AD), for example, is one of the most frequent targets of cyber criminals. Nine out of ten attacks target the directory service, as it controls access to data, systems and applications.

Resilience - and therefore data protection - means detecting unauthorized access and the circumvention of identity controls at an early stage, limiting the damage and restoring the status of privileges securely.

This is why a clean and sustainable cyber recovery of the legal status of users or the digital identities of machines or applications is of central importance. In the case of ransomware or identity theft, the risk lies in restoring compromised data records - the wrong data at the wrong time - without checking their integrity. The next access is then inevitable. Securing the privilege directories is therefore a necessary preventive measure.

Identity-resilient companies prioritize isolation, verification and reproducibility of backups, for example of the Active Directory directory service, in order to be able to restore their entries and at the same time minimize the risk of re-infection, damaged data or repeated data breaches due to unauthorized access.

Data protection day as a resilience test

Data Protection Day is a good opportunity to immediately test your own resilience. Can those responsible contain the consequences of unauthorized access, cleanly restore the affected data and systems and thus convincingly demonstrate control over their data in accordance with the rules?

Companies that set up identity resilience as an additional data protection measure create the conditions for this. This is because in the worst case scenario, i.e. in the event of a successful attack, they will be able to safely resume operations and document what exactly was affected, what was restored and what remained secure. Or is safe again.