Skip to content
AuditFront
Art.21.2c NIS2

NIS2 Art.21.2c: Business Continuity and Crisis Management

What This Control Requires

The measures referred to in paragraph 1 shall include at least the following: (c) business continuity, such as backup management and disaster recovery, and crisis management.

In Plain Language

Ransomware encrypts your production database at 3am on a Friday. Your incident response team contains the attack, but now what? Can you actually restore services? How long will it take? Who talks to customers? Business continuity, disaster recovery, and crisis management answer these questions - before they become emergencies. Business continuity planning for cyber incidents is different from traditional disaster recovery. A flood destroys hardware; a ransomware attack compromises data integrity across systems, may persist through recovery attempts, and can cascade through interconnected services and supply chains. Your plans need to account for scenarios where you cannot simply restore from backup without first verifying that the backup itself is clean. NIS2 explicitly calls out backup management as a core requirement. Backups must be performed regularly, stored securely (including offline or immutable copies), tested for recoverability, and protected against the same threats that target production systems. Crisis management procedures should define how your organisation communicates and coordinates during a major cyber event - internally, with customers, with regulators, and with the public.

How to Implement

Run a business impact analysis (BIA) to identify critical business functions, their dependencies on IT systems, and the maximum tolerable downtime for each. Use this to set recovery time objectives (RTO) and recovery point objectives (RPO) for every critical system. Build a business continuity plan that addresses cyber-specific scenarios. A compromised environment is fundamentally different from a damaged one - you may be dealing with corrupted data integrity, a persistent attacker presence, or encrypted backups. Your BCP must account for these realities. Implement a backup strategy that covers regular automated backups of critical data and systems, offline or air-gapped copies that ransomware cannot reach, regular restoration testing, and encryption of backup data at rest and in transit. If you do not have immutable or offline backups, fix that first. Write a disaster recovery plan with detailed procedures for restoring critical systems. Include recovery steps for different scenarios (ransomware, data breach, infrastructure failure) and define the restoration order based on business criticality. Establish a crisis management framework defining command structures, communication channels, decision-making authority, and escalation procedures for major incidents. Prepare templates for internal and external communications - you do not want to be drafting customer notifications under pressure. Test everything regularly. Run backup restoration tests at least quarterly, tabletop exercises for crisis scenarios at least annually, and full disaster recovery drills once a year. Document results and fix the gaps you find. Keep all plans current. Update them whenever you make significant changes to your IT environment, business processes, or organisational structure.

Evidence Your Auditor Will Request

  • Business impact analysis identifying critical functions and RTOs/RPOs
  • Business continuity plan covering cyber-specific scenarios
  • Backup management policy and procedures including offline backup evidence
  • Disaster recovery plan with documented recovery procedures
  • Records of BCP/DRP testing and backup restoration tests

Common Mistakes

  • Backups exist but have never been tested for successful restoration
  • No offline or immutable backup copies, leaving backups vulnerable to ransomware
  • Business continuity plans do not address cyber-specific scenarios
  • Recovery time objectives are defined but not achievable with current capabilities
  • Crisis management procedures lack clear communication templates and escalation paths

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.29 Related
ISO 27001 A.5.30 Related
ISO 27001 A.8.13 Related
SOC 2 A1.2 Related

Frequently Asked Questions

How often should backups be tested for recoverability?
At least quarterly for critical systems, and more often for your highest-priority data. Each test should verify two things: that the backup data is intact and that you can actually complete restoration within your defined RPO and RTO targets. A backup you have never restored is just a hope, not a plan.
Do we need separate plans for business continuity and disaster recovery?
You can combine them into one document, but maintaining a separate BCP (focused on keeping business operations running) and DRP (focused on technical IT system recovery) is usually more practical. They serve different audiences and purposes. The key is that they are aligned and tested together so there are no gaps between the business and technical recovery.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment