For decades, disaster recovery meant one thing: restoring systems after a catastrophe. The scenarios were familiar, a data centre fire, or a natural disaster that took critical infrastructure offline. Infrastructure and operations (I&O) teams rehearsed failover drills, board members signed off on recovery budgets, and regulators ticked their compliance boxes.

But as we approach 2026, that playbook no longer fits, writes Ron Blair, VP Analyst, Gartner. In today’s world of heavy reliance on software-as-a-service (SaaS), “disaster” often looks less like a flood and more like a frozen login screen. Employees unable to access core applications. Dashboards sitting blank. Everyday business grinds to a halt, not because of a fire or a cyberattack, but because the applications organisations depend on most are suddenly unavailable.

See also: JPMorgan’s Group CISO blasts “dangerous concentration risk” of SaaS

These outages aren’t edge cases. They’ve exposed a new reality: traditional disaster recovery strategies, designed for data centres and cloud workloads, simply don’t apply to SaaS. You can back up the data, but you can’t back up the service. When the provider goes down, so does your business. 

From IT failure to business crisis

The implications are profound. SaaS outages don’t just frustrate employees; they halt revenue streams, damage customer trust, and in regulated industries, risk compliance violations. That’s why disaster recovery can no longer be viewed as solely an IT concern – it’s now a board-level priority. 

Increasingly, recovery time objectives (RTOs), the maximum downtime an organisation can tolerate, are being set not by IT alone, but in partnership with business leaders. The shift reflects a simple truth: resilience is not an IT metric; it’s a business outcome. It’s about ensuring that revenue generation, customer engagement, and compliance obligations can withstand disruption.

Business leaders are demanding more. Across industries, acceptable downtime is shrinking. Many organisations now aim to recover mission-critical applications in under four hours. In highly regulated sectors, the target is two hours or less. Meeting those expectations with manual recovery is no longer realistic.

Automation as the foundation - not the fix

As organisations’ reliance on SaaS continues to grow, traditional disaster recovery models, even those strengthened by automation, are reaching their limits. Automation through infrastructure as code (IaC) and disaster recovery orchestration has transformed how I&O leaders manage recovery for the systems they control, reducing manual steps and improving reliability. But those gains don’t extend to third-party SaaS environments where there’s no like-for-like failover, no direct control, and no guarantee of uptime.

In this new reality, the goal is shifting from automating recovery to sustaining continuity. When a SaaS outage occurs, resilience depends not on faster failover, but on clear processes, tested workarounds, and business-led decisions that keep operations moving until services are restored.

Learn more about The Stack Summit: Email The Stack's Ed Targett.

That doesn’t make automation redundant, it remains the operational backbone for traditional workloads, helping organisations achieve more aggressive RTOs and freeing up resources to plan for broader continuity challenges. But it must now be paired with new playbooks designed for what can’t be automated.

Only 18% of organisations in Gartner’s IT Resilience Survey for 2026 describe their disaster recovery posture as advanced, with automation and continuous availability built in from the start. Many still lack integrated testing in production. This gap matters because true resilience requires both: automated recovery for what can be controlled and tested contingency plans for what can’t.

The SaaS blind spot

 If automation is the great enabler of resilience, SaaS is its great blind spot.  You can automate your own infrastructure, but you cannot automate a third-party service. When SaaS goes down, the customer has no levers to pull. 

Backups are partial safeguards. Eighty-five per cent of organisations surveyed said they have already implemented or are in the process of implementing SaaS backups. But backups protect only data. They do not restore the application itself. The result is that the data may be safe, but the platform that powers sales, collaboration or operations remains unavailable.

The real challenge lies in accountability and visibility. Business units assume IT has a plan for SaaS downtime. IT assumes vendors will ensure resilience. Vendors, in turn, rarely offer more than service credits when things go wrong. The result is a gap between business expectations and operational reality - with I&O leaders stuck in the middle, expected to deliver resilience without the tools or assurances to make it possible.

Barriers compound the problem. Funding for SaaS contingency planning is scarce. Transparency into vendor resilience practices is limited. And few organisations regularly rehearse what to do when a critical SaaS platform becomes unavailable. The risk is not abstract. It means that the next outage will arrive, and instead of executing a plan, executives will be left pointing fingers.

Building new playbooks

So, what’s the answer? It’s not about trying to replicate SaaS failover. It’s about building new playbooks fit for a SaaS-first world. Three actions stand out:

  1. Bake SaaS into continuity strategies. Backups are essential but insufficient. Organisations need documented, tested workarounds, from read-only access to lightweight alternatives, that can keep core business processes moving. These workarounds must be rehearsed regularly, just like traditional DR drills.
  2. Push for transparency and accountability. Enterprises need to demand more from SaaS vendors, clearer disclosures of resilience practices, certifications, and contractual commitments. Vendor selection should prioritise resilience as much as features or price.
  3. Elevate SaaS resilience to a business issue. These plans can’t sit within IT alone. Risk, compliance, and finance leaders must be part of the process. Without business buy-in, funding will lag, and playbooks will remain theoretical. With it, resilience becomes a strategic capability, not just a technical aspiration.

The urgency is real. Regulation is tightening across financial services, healthcare and utilities. Customers are more unforgiving than ever, conditioned by always-on consumer platforms. And the threat landscape is evolving rapidly, from AI-driven cyberattacks to self-inflicted outages caused by rushed updates.

Preparing for the inevitable

The next SaaS outage is not hypothetical. It’s inevitable. When it comes, the difference between those who ride it out and those who make the headlines will come down to preparation. Have you rehearsed your SaaS downtime playbook? Does your board understand the limits of traditional recovery models? 

In a SaaS-first world, the definition of disaster has changed. It’s no longer about fires or floods alone. It’s about whether your core applications, the ones that run your revenue, your customer relationships, and your compliance obligations, can survive when the service itself goes dark.

Gartner analysts will be exploring SaaS outage resilience and disaster recovery at the IT Infrastructure, Operations & Cloud Strategies Conference in London on 17–18 November. 

The link has been copied!