Cloud DR vs on-prem DR: an honest comparison

TL;DR

Cloud DR and on-prem DR are not "one better than the other": they answer different needs. Cloud wins 90% of cases in 2026 for cost and flexibility. On-prem still applies for sub-30-second latencies, specific regulations and fully air-gapped environments.

Five comparison criteria

1. 3-year cost

Cloud DR: pay for storage + subscription, compute kicks in only at failover. For 10 medium VMs: €350-700/month, mostly flat.

On-prem DR (secondary datacentre): amortised hardware + physical space + power + maintenance. Minimum amortisation of a secondary datacentre for the same capacity: €1,500-3,000/month, plus €20-40k one-off setup.

Cloud wins 3:1 over 3 years for SMBs. The gap narrows for companies with > 200 VMs.

2. Achievable RTO

Well-configured cloud DR: 5-30 minutes. On-prem hot standby: 30 seconds-2 minutes. On-prem cold standby: hours.

Sub-minute RTO needs on-prem infrastructure. Above one minute, cloud is competitive.

3. Operational complexity

Cloud: provider handles hardware, redundancy, disk replacement. You handle policy and drills. On-prem: you handle everything, including on-call staff for night issues.

In FTE terms: cloud requires 0.3-0.5 FTE for DR of an average company; on-prem requires 1-1.5 FTE.

4. Compliance

Cloud with certified providers (ISO 27001:2022, 27017, 27018) shifts half the evidence work to the provider. For NIS2 and ISO 27001 this is a real advantage.

On-prem requires building and maintaining all evidence in-house: facility audits, access controls, physical disk-disposal management.

5. Data sovereignty

For NIS2 and Italian public tenders, the cloud must be Italian (not just European). Sefthy is hosted in Italian datacentres.

On-prem guarantees sovereignty by construction but at operational complexity cost.

When the on-prem secondary still makes sense

Three specific cases:

• sectoral regulation: defence, intelligence, level-3 healthcare with specific constraints;
• sub-30-second RTO: trading, real-time industrial control;
• full air-gap: national-security systems that cannot touch the Internet.

Everything else is better in cloud in 2026.

A hybrid that works

For organisations with an already-amortised on-prem secondary, a valid hybrid strategy is:

• on-prem for mission-critical systems with RTO < 5 min (DC, ERP);
• cloud DR for the rest (file servers, dev, test, archives).

Cloud reduces TCO without writing off existing investments.

FAQ

Can I do cloud DR to a "European" cloud and claim NIS2 compliance?

Technically yes, but for NIS2 essential entities and Italian public tenders an Italian sovereign cloud is a significant competitive advantage.

How much does cloud lock-in risk really matter?

Real but manageable: pick providers with documented backup export and keep monthly offline copies as a hedge.

Does hybrid DR increase or decrease complexity?

Increases. Only worth it if on-prem is already amortised and well managed.

For DIY DR hidden costs, read Hidden costs of DIY Disaster Recovery. For data sovereignty specifically, Geo-redundancy in Italy.