This is the fifth and final article in our blog series based on our data governance report. Throughout this series, we’ve explored how governance helps manage data through its lifecycle, strengthens resilience, and fuels compliance and business growth.

Now it’s time to bring it all together — and put governance into practice.

This blog introduces a practical framework/checklist designed to help organizations move from intention to execution. Whether you’re just getting started or refining a mature program, the model outlined here offers a clear way to assess priorities, identify gaps, and scale governance with confidence.

Governance doesn’t start with technology — it starts with structure 

A governance program can’t succeed without clarity on goals, ownership, risk, and accountability. That’s why a structured framework is essential — not to add complexity, but to cut through it.

In Keepit’s data governance report, we provide three interconnected governance lenses, each supported by 10 critical checklist questions. Below, we outline the key areas these questions cover.

1. Framework readiness: Establishing the foundation for governance 

Before governance can scale, it needs a solid foundation. This checklist can help you assess if your organization has the right structures, policies, and oversight to support and sustain governance. It focuses on:

• Clear governance roles and responsibilities 
• Policy enforcement and standardization 
• Classification, privacy, and retention frameworks 
• Regulatory alignment and auditability 
• Mechanisms for continuous review and improvement

2. Classification strategy: Organizing data to reduce risk and increase value

Governance depends on knowing what data you have and treating it accordingly. This checklist helps define a fit-for-purpose classification model — one that supports access control, automation, and downstream compliance. It includes:

• Mapping data types, sources, and storage locations 
• Assessing sensitivity and access risk 
• Defining classification categories and metadata tagging 
• Supporting tools and automation capabilities 
• KPIs to monitor classification effectiveness

3. Board-level alignment: Elevating governance to a strategic business function 

For governance to succeed, it must be visible at the top. This checklist helps ensure governance is not just operational — it’s strategic. It supports board engagement by emphasizing:

• Acknowledgement of the risk management process (part of NIS2) 
• Leadership’s understanding of governance goals 
• Framing governance in terms of business value and risk 
• Communicating maturity, cost, and ROI 
• Enabling cross-functional alignment 
• Reporting and collaboration at the executive level 

Use the checklist to spark internal conversations 

These questions aren’t just for IT or compliance — they’re designed to be cross-functional.  You can use them in workshops, planning sessions, or executive briefings to create alignment and drive accountability.

Most importantly, they turn governance from an abstract concept into a shared capability. 

Before implementing a governance framework, organizations need leadership buy-in. The checklists can help guide discussions at the executive level. 

Conclusion: From questions to execution 

A checklist alone won’t build a governance program — but the right questions will move you from assumptions to action. Organizations should use these checklists as a starting point, adapting them to their specific needs.

Next step: Assess your current governance framework — which gaps need to be filled? 

Keepit protects critical Microsoft 365 and Microsoft Entra ID data of 2,515 users, to add Power BI in the near future

Paris, France – June 10, 2025 – Keepit, a global provider of a comprehensive cloud backup and recovery platform, today announced that it has been selected by the French Tennis Federation (FFT) to independently back up its Microsoft 365, Microsoft Entra ID and Power BI data.

Keen to strengthen the resilience of its digital environments, the French Tennis Federation chose a sovereign backup solution, independent of major global cloud providers. It chose Keepit, a Danish company that controls its entire hosting chain by operating its own cloud and data centers, across Europe, and in the UK, Canada, Australia and the US. Keepit’s architecture, which guarantees uninterrupted access to data even in the event of third-party provider failure, fully met the FFT’s requirements of security, independence and business continuity.

“Until three years ago, we had no backup solution for our cloud environments. My objective was clear: to identify a European service provider guaranteeing maximum independence”, says Franck Labat, Technical Director at FFT. “Beyond this initial requirement, Keepit was able to meet additional needs that we hadn’t anticipated: centralized, traceable archiving of PST files, unified management of all our data via a single platform, and more recently, seamless integration of our directory as part of our complete migration to Entra ID.”

The French Tennis Federation, headquartered at Roland-Garros stadium, organizes, coordinates and promotes tennis for over 8,000 clubs throughout France. The FFT’s operations also involve the management of a large number of seasonal employees as part of its event-driven activities, generating significant data flows to be processed and restored. To ensure consistent monitoring, it is essential to be able to recover data from people who have left, sometimes after short assignments, in order to pass it on to their managers. This need also led the FFT to choose Keepit: beyond backup, the solution enables targeted copying and restoration according to the needs of the teams. Keepit facilitates the management of these processes, while guaranteeing data security.

The collaboration began in 2022, alongside SCC France, a trusted partner of the FFT for over 15 years, with the initial aim of safeguarding Microsoft 365 environments. Since then, the partnership has gradually expanded to include Power BI and Microsoft Entra ID. FFT now plans to systematically integrate any new Microsoft solution it adopts into the Keepit ecosystem, ensuring continuity and consistency in the protection of its digital assets.

“We are particularly proud to have led this project alongside our partner SCC, to offer the FFT an independent cloud backup and recovery platform that is simple to deploy and administer,” says Cyril VanAgt, Vice President Channel EMEA at Keepit. “We remain fully committed to supporting the next steps in the evolution of its cloud and Microsoft environments.”

About the French Tennis Federation
The French Tennis Federation (French: Fédération française de tennis, FFT) is the governing body for tennis in the Hexagone and DROM-COM. It was founded in 1920, and is tasked with the organization, co-ordination and promotion of the sport. It is recognized by the International Tennis Federation and by the French Minister for Sports. Its headquarters are at the Roland-Garros stadium in France.

Keepit has been recognized as a leader among SaaS Backup, Data Loss Prevention, Disaster Recovery, and Enterprise Backup categories.

New senior executive shares ambitious goals for regional Keepit expansion  

Copenhagen, Denmark, June 2, 2025 – Keepit, the global leader in SaaS data protection, today announced that Dan Middleton, former VP at Veeam, has been appointed as its new VP for the UK and Ireland. Middleton will grow Keepit’s UKI sales team, accelerate pipeline generation, and drive the expansion of Keepit’s local partner ecosystem with the regional partner management team. Additionally, Middleton is responsible for Eastern Europe, Middle East and South Africa.

With over 20 years’ experience in IT sales leadership, Middleton brings a wealth of proven go-to-market expertise and leadership to Keepit. His appointment follows an 11-year tenure at Veeam UKI, where he played a key role in strengthening the company’s market presence to #1 in the region. 

“Keepit is solving one of the most urgent challenges organizations face today: protecting and controlling their data in a complex, fast-moving, and highly regulated landscape. With data sovereignty continuing to rise up the boardroom agenda, businesses need practical, proven solutions. My priority now is to build on momentum in the UK and Ireland, working closely with our channel partners to drive growth and help more organizations take control of their data, wherever it resides,” said Middleton. 

“We’re incredibly excited to have Dan on board,” said Keepit Chief Revenue Officer, Craig Bumpus. “He’ll be leading an already strong and experienced team dedicated to helping organizations protect their data. This role is critical to our continued growth in the region and with Dan’s expertise, we’re set to meet some bold growth objectives that will take us into strategic accounts and help expand our customer base even further. Following our recent alliance with Ingram Micro in the UK we are well positioned to expand our UK footprint” 

Middleton joins Keepit at a time when organizations are under significant pressure to protect their data and metadata generated by their SaaS applications. However, SaaS providers have no obligation to offer data protection services alongside their tools.  

Thanks to datacenters located in the UK and complete independence from global hyperscalers, Keepit’s backup and recovery solution ensures that organizations retain complete access to their data at all times. With Keepit, organizations have the confidence that data remains under their control, even if the original SaaS system is unavailable, or a third party takes unauthorized control of data stored within a public cloud. This is a critical contribution to data resilience in the context of UK digital sovereignty. 

A wave of cyberattacks – including recent high-profile attacks against major UK retailers – has pushed data protection back into the spotlight. And with both the UK and EU tightening data sovereignty laws, organizations must take a more strategic approach to managing their data: classifying, prioritizing and understanding its value.  

Keepit supports this by offering secure, compliant cloud backup and data management services that ensure data is protected, easily accessible and stored according to local sovereignty requirements. This enables organizations to maintain control, meet regulatory demands, and recover quickly from cyber incidents. 

Based at Keepit’s continuously growing UK headquarters in London, Middleton will accelerate adoption of Keepit’s solutions by targeting industries facing some of the toughest data governance challenges, where organizations are subject to numerous regulations, including aligning their data policies with UK and EU legislation. 

For more information on Keepit’s data protection solutions and upcoming developments, visit www.keepit.com 

About Dan Middleton
Dan Middleton is Keepit’s VP, UK and Ireland. He has over two decades of experience working in IT sales management, including 11 years with Veeam Software in roles that included Commercial Sales Director and VP, UK & Ireland. 

Find Dan Middleton on LinkedIn 

The reality of Europe’s cloud dependence 

Europe stands at a crossroads when it comes to data sovereignty. Despite its aspirations for autonomy, 97% of the cloud infrastructure and platform services market is dominated by U.S. and Chinese providers — like the US Big Three (AWS, Azure, and Google Cloud) and Chinese providers such as Alibaba, Huawei, and Tencent.

The implications are profound. With critical European data housed within infrastructures controlled by foreign entities, the EU’s ambitions for digital sovereignty face significant hurdles. How can Europe claim true data sovereignty when its information resides under jurisdictions subject to foreign government access and control? 

The geopolitical landscape 

The global cloud market is not just about technology — it’s about politics and control. Data sovereignty speaks to the legal and regulatory control a country or region has over data generated or stored within its borders. But with most of the infrastructure controlled by non-European players, the question of true sovereignty remains unresolved.

This dependency leaves Europe vulnerable to political shifts and foreign legislation, including policies like the U.S. CLOUD Act, which grants American authorities the right to access data stored by U.S. companies, even if it resides on foreign soil. 

A path forward for Europe 

For Europe to assert control over its digital future, it must prioritize sovereign cloud solutions. These infrastructures would guarantee data residency, security, and autonomy, shielding critical information from foreign oversight. Keepit’s architecture is purpose-built for such sovereignty, with control over the entire data and management plane, providing a viable pathway for European enterprises to regain digital control. 

Next steps: Navigating toward European digital autonomy 

To transition from dependence to autonomy, European companies should:

• Invest in sovereign cloud solutions: Opt for providers that prioritize European data residency and compliance. 
• Strengthen compliance with regional regulations: Align with GDPR, DORA, NIS2 and local data privacy laws to build stronger protections. 
• Leverage local data centers: Prioritize data centers within Europe to avoid geopolitical risks. 
• Demand transparency and local control: Ensure your provider maintains complete transparency over data handling and security measures. 
• Promote regional cloud initiatives: Support European-based cloud initiatives that focus on sovereignty and compliance.

A sovereign Europe starts with responsible decisions made today. 

Understanding digital sovereignty 

Digital sovereignty extends beyond data to encompass control over the entire digital infrastructure — hardware, software, and data. It represents an organization’s ability to manage and control its digital environment independently, ensuring autonomy and security in a constantly shifting cyber landscape. With global cloud adoption surging, the conversation around digital sovereignty has never been more relevant.

By 2025, 30% of multinational companies are expected to face significant impacts from unmanaged digital sovereign risks. This statistic underlines the growing urgency for IT leaders to ask themselves critical questions: What are your plans to ensure both digital and data sovereignty? Are you prepared to build a robust, secure digital infrastructure that respects and enforces these principles?

Sovereign cloud challenges 

The journey to digital sovereignty is not without its challenges. Organizations must consider:

• Data: Where is your data stored? Who has access to it? How is it managed? 
• Operations: Are your operational practices aligned with local and international data policies? 
• Infrastructure/technology: Is your technology stack independent and resilient against foreign influence? 
• Local vs. foreign compliance: Are you compliant with both local and international data laws? 
• Residency and monitoring: Can you guarantee data residency in specific locations while maintaining transparent monitoring?

These challenges are not just theoretical; they represent real risks and vulnerabilities for global businesses. Control, privacy, audit trails, and technology independence are not just aspirations — they are necessities for resilient digital operations. 

Keepit’s role in achieving digital sovereignty 

Where traditional SaaS data protection vendors rely heavily on third-party infrastructure, Keepit takes a radically different approach. Keepit has full control over both the data and management planes, which are physically and logically separated from production workloads.

This unique architecture means that Keepit controls cost, functionality, security, performance, management, operations, and integration — ensuring that customers are not at the mercy of hyperscalers or foreign policies.

For IT leaders, this means autonomy. It means knowing exactly where your data is, who is handling it, and how it is being protected — free from third-party influence. In an era where sovereignty risks are growing, Keepit stands as a beacon of control and reliability. 

The path forward 

Digital sovereignty is not a checkbox; it’s a journey. For IT leaders, the time to act is now. Engage with infrastructure and operations leaders, discuss how Keepit can help secure and manage your data with full sovereignty. Understand the risks of unmanaged sovereignty and be proactive in securing your organization’s digital future. 

Next steps: Selecting the right data protection vendor 

The next step in your sovereignty journey is selecting the right data protection partner. Here are key guidelines to consider:

• Control and ownership: Ensure the provider has complete control over its data and management planes. This eliminates third-party risks and ensures that you remain compliant with local and international data regulations. 
• Physical and logical separation: Look for vendors that guarantee physical and logical separation from production workloads — like Keepit does. 
• Transparency and auditability: Verify that the solution provides transparent audit trails and compliance monitoring. 
• Cost and performance control: Choose a vendor that allows you to predict and manage costs effectively while maintaining optimal performance. 
• Regulatory alignment: Ensure the provider is aligned with local laws and global standards to avoid legal complications.

Choosing the right vendor is crucial for mitigating digital sovereign risks and ensuring data remains protected and compliant. 

Rethinking data protection

As reliance on digital infrastructure grows, so must our approach to resilience. Most organizations have a data protection strategy in place. We all understand the importance of safeguarding data and the severe impact that disruptions—whether from cyberattacks, system failures, or natural disasters—can have on business operations. But as reliance on digital infrastructure grows, so too must our approach to resilience.

In this article, we move beyond traditional data protection to explore a new paradigm: Intelligent resilience. This approach goes beyond basic recovery strategies by integrating real-time visibility, anomaly detection, and automation, delivering faster, smarter, and more secure recovery processes.

What is “intelligent resilience?”

Intelligent resilience represents a proactive and adaptive approach to data protection. Rather than simply reacting to incidents, it leverages real-time insights and predictive analysis to anticipate risks and minimize disruption.

Through powerful features such as Keepit’s Data Protection Dashboard and Anomaly Detection Dashboard, IT teams gain enhanced visibility into data activity, empowering them to identify irregularities and mitigate risks before they evolve into critical incidents.

Keepit’s Data Protection Dashboard 

Keepit’s Data Protection Dashboard offers unparalleled transparency into the state of your backups and recovery points. IT teams can monitor backup status, identify gaps, and gain instant insights into data integrity and compliance.

This real-time visibility allows organizations to be proactive rather than reactive, ensuring that data is not only safe but also recoverable at a moment’s notice. This kind of real-time monitoring is a foundational element of intelligent resilience, as it enables immediate action when issues arise, mitigating risks before they become critical.

Anomaly Detection for real-time threat awareness 

One of the standout features of intelligent resilience is Keepit’s Anomaly Detection Dashboard. This system continuously scans for irregularities in data patterns, flagging potential threats like ransomware or data corruption before they escalate.

Anomaly detection empowers IT leaders with predictive insights, allowing them to intervene swiftly and prevent downtime or data loss, helping you stay ahead of the curve.

Shifting from reactive to proactive

Traditional disaster recovery models are inherently reactive: a system fails, and then recovery begins. Intelligent resilience flips this model on its head by incorporating real-time monitoring and predictive capabilities.

With Keepit’s dashboards, IT leaders can:

• Detect threats before they disrupt operations
• Optimize backup and recovery times
• Ensure compliance and data integrity continuously
• Visualize risks and recovery paths proactively

By embracing this forward-thinking model, organizations are not just responding to incidents—they are actively preventing them.

Building intelligent resilience: A step-by-step guide

1. Evaluate your current strategy Begin by assessing your current data protection policies and recovery plans. Identify gaps in visibility, automation, and real-time monitoring.

2. Leverage advanced dashboards Integrate Keepit’s Data Protection Dashboard for comprehensive backup monitoring and the Anomaly Detection Dashboard for early threat identification.

3. Automate recovery processes Remove human error and accelerate recovery by automating key processes like failover, replication, and disaster recovery orchestration.

4. Ensure governance and compliance Intelligent resilience demands transparent audit trails and constant compliance monitoring—both of which Keepit’s platform enables.

5. Test and adapt regularly Intelligent resilience isn’t static; regular testing and updates are essential for maintaining robustness against emerging threats.

The path forward

Intelligent resilience is more than just a concept—it’s a strategic imperative for businesses aiming to thrive in an unpredictable world. By integrating advanced monitoring, anomaly detection, and real-time visibility through Keepit’s solutions, IT leaders can achieve unprecedented levels of security and reliability.

The time to rethink cyber resilience is now. With intelligent resilience, disruptions are not just managed, they are mitigated before they happen. It’s time to move resilience forward.

If you’re responsible for your organization’s data — whether in IT, security, compliance, or ops — there’s a good chance you’ve already dealt with some form of data loss. If not, odds are you will. The key is understanding how those losses happen and how to recover. 

In my experience, most incidents fall into one of four categories — I call them the four Ms: Malicious attacks, mistakes by admins, mishaps at your cloud provider, and migrations gone bad. 

Let’s take a look at each. Along the way, I’ll share real examples, the patterns I’ve seen over and over again, and what you can do to make sure you’re ready when (not if) something goes wrong. 

Malicious attacks: You will be targeted 

Let’s start with the one everyone knows: cyberattacks. You’ve seen the headlines — ransomware, data-wipes, stolen credentials, you name it. But what doesn’t always make the news is how modern attacks are increasingly hybrid and decreasingly targeted. 

We’re no longer dealing with isolated ransomware gangs. Today’s attacks are more coordinated, more hybrid, and less targeted than ever. Nation-state actors like MERCURY (now Mango Sandstorm) and DEV-1084 (now Storm-1084) have proven they can compromise on-prem environments, escalate privileges, and then pivot into cloud systems like Azure — where they delete Azure-based backups and try to erase the recovery path itself. That’s right: They don’t just go after your data, they go after your recovery plan. 

These aren’t theoretical. Microsoft’s Threat Intelligence blog and others have published chilling case studies on how hybrid attackers operate — and how hard they are to stop once inside. 

Attacks also don’t need to be that sophisticated to be devastating. Many start with a user doing something they shouldn’t — clicking a phishing link or exposing credentials. It’s not intentional, but it’s all an attacker needs to get in, elevate access, and start deleting data. 

Other times, it’s far more advanced. A state-sponsored actor might compromise your local AD, escalate access, and pivot into Azure using a synced identity. From there, they target and delete your backups. Not only is your operational data gone — your safety net is too. 

You might read this and think “well, no nation-state would target us,” but the sad fact is that attack technology always trickles downward. What takes a sophisticated team of experts today can be done by a ransomware gang next week and by a run-of-the-mill ankle-biter next month. As the ransomware market expands, and criminals compete with each other more, they’re being much less discriminating about who they attack, which increases the odds that you’ll get hit. An untargeted attack can do just as much damage to your business as one specifically aimed at you. 

Recovery tip: You can’t assume your backup is safe just because your data is in the cloud. Backups are often the first thing targeted —  here’s why backups are targeted. That means you need copies in a location your attacker can’t reach. Backups need to be immutable, isolated, and independent of your production systems. It’s not enough to say you have a backup. You need to know you can get it back when it counts. 

Mistakes by admins: The most common cause of data loss 

We all make mistakes. I’ve been in this field long enough to say that with confidence — even great admins on a good day can misconfigure something. The problem is, with today’s systems, small changes can have major ripple effects. 

Retention policies are a great example. Someone misconfigures a retention policy and sets it to 9 days instead of 90. Or a PowerShell script gets deployed with the wrong scope and clears out a folder structure. These are honest mistakes, but they carry real consequences. 

Then there are more complex cases — like the major U.S. bank that trusted its SaaS provider’s default retention policy. There was a bug in the logic. The result? Federally mandated records were deleted. By the time anyone realized, the recovery window had passed, and the bank’s risk committee had to be notified. 

No matter how well-trained your admins are, in a world where every IT team is under crushing pressure to do more, faster, with less, mistakes are guaranteed to happen. 

Recovery tip: Your backup strategy has to account for people. The good ones, the tired ones, the well-meaning ones who just made a bad change — and the ones who might mean harm. That means external, versioned backups you can access independently — even if someone on your own team made a critical change or deleted something maliciously. And more than that, it’s about building trust and a strong security culture. People need to feel comfortable admitting when something went wrong, before it escalates. 

Mishaps at your cloud provider: The shared responsibility reality 

Even the biggest cloud providers have bad days. In September 2024, Microsoft lost weeks of security logs for some customers due to a bug in their internal monitoring agents. Earlier, Google Cloud deleted critical pension data of one of Australia’s largest pension providers due to a misconfiguration of the Google Cloud VMware Engine (GCVE). The customer had no way to get it back through Google, but they fortunately had their own third-party backup in place. 

And these mishaps aren’t rare. These kinds of failures may be complex, but they’re not impossible. If your DR plan assumes your cloud vendor won’t mess up — or that they’ll be able to fix any problems they cause — you’re gambling. 

Recovery tip: Shared responsibility means your vendor protects the infrastructure — not your data. They essentially promise not to lose all of your data at the same time—not to help you recover if you lose all your data at the same time. If something gets deleted, overwritten, or lost due to their error (or yours), it’s your responsibility to recover. That’s why independent backup, stored off-platform and regularly tested, is so important. 

Migration gone bad: Underestimated and over-impactful 

Migrations should be straightforward — but they rarely are. They’re a little like home renovations in that they always take longer than expected, cost more than planned, and something breaks along the way. 

In larger transitions, like moving from one cloud provider to another, things can go completely sideways. A large EU retailer migrated to Google Cloud and experienced serious sync and data integrity issues. They didn’t have a rollback plan. Their recovery hadn’t been tested. They were stuck. 

We like to think of migrations as upgrades. But they’re also risk windows — times when data is in transit, systems are shifting, and safeguards are at their weakest. 

Recovery tip: Treat migrations like disaster scenarios. You need complete, point-in-time backups of everything critical before you cut over. And you need to test recovery as part of the migration plan. If you don’t, you might find yourself restoring yesterday’s lunch menu while your billing system stays offline. 

Final thoughts: Plan like it’s going to happen, because it will 

There’s a recurring theme in every scenario I’ve laid out: testing. Not theory. Not a spreadsheet. Actual, practiced, verifiable recovery testing. 

It’s not enough to say you have a disaster recovery plan. You need to prove it works — to yourself, to your team, and maybe even to regulators. That’s where real resilience comes from. Not from wishful thinking, but from preparation. 

You can’t predict every attack. You can’t prevent every mistake. And you can’t control what your cloud vendor does. But you can control how you prepare, and how quickly you bounce back. 

So test your plan. Test it again. And if it fails, fix it now — not during an actual incident.