EU have very strict laws on the security of email and the requirement to keep it archived and to ensure the data cannot get out.
No. GDPR is very organization-specific, meaning that a small organization or non-profit with 5 employees, don't need the same security as a 100 employee multi-million dollar organization.
They were going to require small companies and even private persons processing data outside of the "personal space" limitation, to have the same sort of physical and digital security as any multi-billion dollar corporation, and require those that cannot cash up for such security, to only use hosted cloud services and rented centrally-managed computers without any own IT department.
Of course, they dropped that idea, because it was not fair against small companies. They changed the ruling so the amount of security you need, is dependant on how much people is at risk if the emails leak, and what type of content the email has (if it has sensitive data, requirements are higher).
But also, export of data to third-world countries is not permitted at all, regardless of organization size, due to the data losing legal protection (if someone outside EU leaks the data, you cannot hold someone responsible), unless specific requirements are met.
This means, a somewhat maintained mail server, physically located at a company, is much better than using a hosted cloud service, as the cloud services usually take extra payment to keep the data inside EU.
Same with the rulings on security bulletins - if you have a multi-billion dollar company then you are expected to apply security fixes and patches, even on a Saturday night. They are obliged by EU law to have alarms that wake them up on any major security bulletin regarding any of the server software.
For a small non-profit or family company - its OK to wait until business hours with that - if that leads to the server being hacked - its okay. You did what you could. Novody expects you to be available 24/7 to patch 0-days.
So its totally dependand on what type of organization you run, and the size
- that govern how much security you need.
And no, you don't need an UPS or backuped ISP connections, unless you run something mission critical. Most mailservers will queue mails for several days, so if your mailserver disappear for 1-2 days, it don't matter. The "availability" requirements of GDPR only applies to society-cricical services where it can actually cause harm to end-users if a service is down.
If its just a small non-profit with 5 employees, GDPR is not gonna care because the email server was down for a day or two.