The delivery of critical services to end-users is the main concern of NIS2, and business continuity is therefore a requirement. This will be explained in greater detail in the following section.

Business Continuity Procedures

Organisations must ensure that their operations can continue, and that cybersecurity is maintained, during a major incident or crisis, and that normal operations can be restored once the incident or crisis is over.

During a major incident or crisis, organisations must be able to maintain service delivery to end-users and uphold cybersecurity, and that normal operations are restored once it is over.

Requirements

Your organisation must establish and maintain business continuity procedures to be applied in the event of a cyber security incident. This procedure must include a plan for continued operations and a plan for recovery after a crisis, which your organisation must follow to restore operations in line with the procedure.

The business continuity procedure must be based on a risk assessment and it may include:

• the purpose, scope, and intended audience of the procedure,
• roles and responsibilities in the event of a crisis,
• Internal and external personnel and a list of the communication channels to be used in the event of an emergency,
• conditions for activating and deactivating the organisation’s contingency measures,
• a description of the resources needed to maintain operations in a crisis, such as backup, reloading, and redundancy,
• a description of how the organisation will coordinate with those responsible for incident handling, for example what operations can continue without interfering with efforts to contain an attack.

The recovery plan may include:

• recovery plans for specific operational systems and recovery objectives, such as how well systems must work and which data must be restored first,
• the sequence for restoring operations, for example which services must come online first due to interdependencies, and how temporary measures can be used, such as manual processes or alternative communication methods,
• a plan for verifying that confidentiality and integrity have not been compromised during recovery.

Documentation

Your business continuity procedure should be reviewed and tested at regular planned intervals, as well as after major incidents or significant changes in the operating environment or risk situation. Your reviews must check whether the procedure works as intended and is sufficiently up to date for the organisation’s current conditions, and any changes to the procedures should be documented.

Backup

You must have backup procedures to ensure that the organisation’s relevant data is backed up so that it can be restored in case of loss, damage, or any other disruption.

Requirements

Your organisation must have procedures to make sure all relevant data, including configuration data, is backed up in a way that supports business continuity.

Your backup plans should be based on your risk assessment and business continuity plans and may consider the following:

• The maximum acceptable time to restore data,
• Ensure backups are complete and accurate, including configuration data and data stored in cloud services,
• Store backup copies securely, either online or offline, at one or more locations outside the main system’s network and far enough away to avoid damage from incidents at the main site,
• Apply strong physical and logical access controls for backups, including during transport, such as locked server rooms, sealed transport, encrypted backups with external key management, Role-Based Access Controls (RBAC), or Multi-Factor Authentication (MFA),
• Define how long backups must be kept, based on business, legal, and regulatory requirements,
• Specify when and how data may be restored, including who must approve the process,
• Carry out regular checks and tests to confirm that backups are accurate, complete, and restorable,
• Test backup and restore procedures at regular intervals.

In OT (Operational Technology) environments, where uptime is critical, alternative recovery methods may also be used, such as storing configuration files for quick reloading, using system redundancy, or failover to preconfigured devices.

Documentation

Your organisation should document that it regularly tests backups or alternative recovery methods to confirm that they are complete and available as described in the backup procedures. You should ensure that the backups have the necessary integrity, even if they appear to be complete. The results of these tests should be documented and approved by the relevant management.

Redundancy

The purpose of implementing redundancy measures is to ensure that your organisation has access to sufficient resources when needed, including facilities, staff, network and information systems, and components. 

Requirements

Your organisation must assess whether there is a need to establish redundancy, for example by having spare IT equipment or alternative locations available. This assessment should be based on your organisation’s information security policy, risk management policy, and continuity plan.

When assessing the need for redundancy, consider for example:

• network and information systems, including hardware, software, services, and data,
• non-human assets, including facilities, equipment, and supplies,
• staff with the necessary responsibilities, authority, and competence,
• appropriate additional or alternative communication channels.

Your organisation may build redundancy internally or make agreements with third parties to ensure adequate redundancy.

Your organisation should also make sure that those responsible for monitoring and managing resources are informed of redundancy requirements, so expectations are clear and they can ensure that the necessary resources are available.

Documentation

You should regularly assess your need for redundancy in hardware, software, services, facilities, and other resources to ensure that the right resources are available in case of operational disruptions. It should be documented how to apply the redundant resources so that relevant staff know how to access and use them when needed.

Crisis management

The purpose of establishing crisis management procedures is to ensure that your organisation has processes in place to manage crises in the event of one or more simultaneous major incidents.

Requirements

Your organisation must assess if there is a need for a contingency plan with crisis management procedures. If such a need is identified, your organisation should create and document the procedures required to handle very serious incidents.

These crisis management procedures may address the following:

• Cybersecurity should be maintained during a crisis by using appropriate measures such as support systems, defined processes, and extra capacity.
• Roles and responsibilities for staff, suppliers, and service providers should be clearly defined, and they should know their responsibilities and the specific procedures to follow in a crisis.
• Suitable communication methods and channels with the relevant sector authorities should be established. This must include mandatory communication, such as incident reporting within the required deadlines, as well as other relevant communication.

Your organisation should also implement a process for handling and using information received from the national CSIRT, such as security incidents, vulnerabilities, threats, and recommended measures.

Documentation

Your crisis management plan should be documented and reviewed at regular intervals to ensure it remains sufficient and up to date for your organisation’s current situation. Regular exercises should also be carried out to test whether the plan works as intended. Based on the results, any necessary changes to the plan should be made and documented.