NIS2 Business Continuity Plan — Template

This Business Continuity Plan ('BCP') establishes how [companyName] maintains the continuity of its essential services and critical ICT systems before, during and after a cybersecurity incident, in accordance with Article 21(2)(c) of Directive (EU) 2022/2555 (the 'NIS2 Directive') and the applicable national transposition law of [supervisoryAuthority]. It covers all critical business functions, all ICT systems supporting those functions, and all employees, contractors and third parties involved in their operation. [companyName] is classified as a [entityClassification] entity in the [sectorClassification] sector under the NIS2 Directive. This plan is effective as of 2026-04-26 and shall next be reviewed on or before [reviewDate].

[companyName] maintains a documented Business Impact Analysis ('BIA') covering each critical function and supporting ICT system, updated at least annually. For each critical function the BIA records: (a) the maximum tolerable downtime ('MTD') beyond which continued disruption causes unrecoverable harm to data subjects, customers, suppliers, financial position, regulatory standing, or reputation; (b) the recovery time objective ('RTO'), being the targeted time within which the function must be restored after disruption; (c) the recovery point objective ('RPO'), being the maximum acceptable data loss measured in time. Organisation-wide targets are: MTD = [mtdTarget], RTO = [rtoTarget], RPO = [rpoTarget]. Impact is rated across four categories — financial, operational, reputational and regulatory — using the criteria set out in Appendix A. The BIA informs the prioritisation of recovery activities under Section 3 and the resource allocation under Section 4.

For each critical function and supporting ICT system, [companyName] maintains a documented recovery strategy specifying: (a) primary and alternative processing arrangements (in-house, cloud, third-party hot-site, manual workaround); (b) backup type, frequency, retention and off-site storage location, with at least one geographically separated copy and one offline or immutable copy to mitigate ransomware; (c) recovery method, sequencing and dependencies between systems; (d) data integrity and confidentiality controls applicable during recovery, including verification of backup integrity before restoration and rotation of any potentially compromised credentials. Recovery strategies are validated against the targets set out in Section 2 and tested under Section 6. Where third-party services support critical functions, contractual continuity and exit obligations are set out in [companyName]'s Supply Chain Security Policy.

This BCP integrates with [companyName]'s Incident Response Plan: a confirmed P1 or P2 cybersecurity incident, or any incident projected to exceed the MTD of a critical function, automatically triggers business-continuity activation. The Crisis Management Team is convened by the Crisis Manager ([crisisManager]) within one (1) hour of activation and is led by [cisoName]. The team has authority to: (a) declare a continuity event and invoke recovery strategies; (b) authorise emergency expenditure within delegated limits; (c) suspend non-critical operations to free resources; (d) coordinate communications under Section 5; (e) liaise with the supervisory authority [supervisoryAuthority] and, where applicable, with the national CSIRT for purposes of incident reporting under Article 23 of the NIS2 Directive.

During a continuity event, [companyName] communicates with stakeholders through pre-defined channels and templates. Internal staff are informed via the emergency communication tree maintained by the Communications Lead. Customers and data subjects are informed where the incident affects the availability or confidentiality of services they rely on, in language appropriate to the audience and consistent with any obligations under Article 34 GDPR or Article 23(2) of the NIS2 Directive. The supervisory authority [supervisoryAuthority] and the national CSIRT receive the early warning, incident notification and final report required under Article 23 of the NIS2 Directive within 24 hours, 72 hours and one (1) month respectively. Communications with regulators, law enforcement, insurers and critical suppliers are coordinated by the Crisis Manager and Legal Counsel and logged in the incident record. Public communications are issued only with the prior approval of the Crisis Management Team.

[companyName] tests this plan at least annually using a combination of: (a) tabletop exercises simulating cyber and operational scenarios; (b) functional tests of backup restoration and failover; (c) full-scale exercises involving multiple teams and third parties. Each test produces a report identifying gaps, action items, owners and target completion dates. Action items are tracked through to closure and material changes feed into the next revision of this plan. The plan is reviewed and, where required, updated: (i) at least annually; (ii) following any significant incident; (iii) following material changes to business operations, critical systems, suppliers, regulatory requirements, or threat landscape; (iv) following changes to the entity classification or sectoral coverage of [companyName] under the NIS2 Directive.

Accountability for this plan rests with the management body of [companyName], which approves and oversees its implementation in accordance with Article 20 of the NIS2 Directive. Day-to-day ownership is held by [cisoName]. The Crisis Manager [crisisManager] leads continuity events. The Crisis Management Team comprises: the Crisis Manager, the CISO, an Operations Lead, the Communications Lead and Legal Counsel, with sector-specific experts co-opted as required. Members of the management body receive training on the contents and operation of this plan, in line with Article 20(2) of the NIS2 Directive on management-body responsibility for cybersecurity. This plan is classified as confidential and is distributed on a need-to-know basis. The current version, version history, approval evidence and last review date are recorded in the document control register maintained by the CISO.