7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

4.1 Business continuity and disaster recovery plans

4.1.1. For the purpose of Article 21(2), point (c) of Directive (EU) 2022/2555, the relevant entities shall lay down and maintain a business continuity and disaster recovery plan to apply in the case of incidents.

4.1.2. The relevant entities’ operations shall be restored according to the business continuity and disaster recovery plan. The plan shall be informed by the results of the risk assessment and shall include the following:

(a) purpose, scope and audience;
(b) roles and responsibilities;
(c) key contacts and (internal and external) communication channels;
(d) conditions for plan activation and deactivation;
(e) order of recovery for operations;
(f) recovery plans for specific operations, including recovery objectives;
(g) required resources, including backups and redundancies;
(h) restoring and resuming activities from temporary measures;
(i) interfaces to incident handling.

4.1.3. The relevant entities shall carry out a business impact analysis to assess the potential impact of severe disruptions to their business operations and shall, based on the results of the business impact analysis, establish continuity requirements for the network and information systems.

4.1.4. The business continuity plan and disaster recovery plan shall be tested, reviewed and, where appropriate, updated at planned intervals and following significant incidents or significant changes to operations or risks. The relevant entities shall ensure that the plans incorporate lessons learnt from such tests.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!