NIS2 Requirements for Operational Continuity and Resilience

The Network and Information Security 2 (NIS2) directive introduces stringentcyber risk managementobligations and aims to enhance thebusiness resilienceof critical infrastructure in Europe. Specifically, the standard requires essential and important organizations to take technical and organizational measures to secure networks and information systemsand to ensure continuity of services in the event of incidents. Among the key requirements stipulated (Art. 21) are:

• Risk analysis and information security policies, with anall-hazardsapproach that considers all relevant threats (cyber, physical, etc.) to systems and their operational environment.
• Incidentmanagement(incident handling), including procedures for detecting, responding to, and reporting significant incidents.
• Business Continuity and crisis management, such as through proper backup management and disaster recovery plans, to be able to restore critical functions after destructive events. Indeed, the directive requires the adoption ofBusiness Continuityplans to ensure operations in the event of incidents, requiringcritical processesto bemapped,plans to be tested regularly, andrisks to be assessed along the supply chain.
• Supply chain security: security aspects related to critical (direct) suppliers and partners should be considered, assessing their vulnerabilities and reliability, as a cyber incident at a supplier can affect the company itself.

These measures all aim tominimize the impactof any incidents on recipients of essential services and society by elevating the organization’s resilience. In summary, NIS2 makes explicit the link toBusiness Continuityby recognizing it as a fundamental element of security: the ability to prepare for and respond to operational disruptions is an integral part of regulatory compliance.

Why Business Continuity must go beyond IT

Implementing Business Continuity from a NIS2 perspective meansgoing beyond just IT systems continuity. Historically, many companies have focused on IT disaster recovery, butNIS2 shifts the focus to the continuity of the company’s operational processesas a whole. In other words, the “point of focus” is not just to restore servers and data, butto ensure that processes essential to delivering products and services can continueeven during severe incidents. This requires a holistic approach: for example, an IT disaster recovery plan alone “makes little sense” if recovery requirements have not been defined based on the needs of the business processes supported by the systems.

For this, thefirst stepis to conduct a Business Impact Analysis(BIA): an impact analysis that assesses the consequences of downtime for individual business processes and identifies which functions should be restored as a priority. The BIA helps define the company’s downtimetolerance, taking into account not only internal economic losses but also external impacts (social, customer or territorial) that NIS2 urges to mitigate. Crucially, through the BIA, the company identifiescritical dependencies: resources necessary for processes to function, ranging from personnel, locations and raw materials to external services and strategic suppliers. This mapping of dependencies highlights weak points where a failure or disruption (not only IT, but also logistics, energy, etc.) could halt operations.

NIS2 places special emphasis precisely ondependencies on critical suppliers: a cyber attack or major malfunction at a supplier can disrupt the provision of essential goods/services and thus impact the continuity of the obligated business.Not surprisingly, the directive requires each direct supplier to be assessedin terms of risk. For example, an essential manufacturing company will need to consider what would happen if its supplier of key components were affected, preparing countermeasures (alternative suppliers, stockpiles, etc.). Similarly, a hospital included in NIS2 cannot just protect its servers: it must ensure that its providers of digital services, energy, medical equipment, etc., also have adequate continuity plans. In essence, to be NIS2 compliant, business continuity must be extended to the entire organization and supply chain, not just ICT. After all, the directiveapplies to the entire organization, requiringall areas supporting critical services to be protected, including functions such as logistics, human resources and supply chain. This all-pervasive approach ensures completebusiness resilience: the company becomes capable of absorbing and overcoming operational shocks because it has considered every indispensable element of its business in advance.

Integration of Business Continuity into NIS2 Compliance Plans.

To meet NIS2 requirements, companies shouldintegrate Business Continuityinto their compliance and security management programs. One effective way is to adopt aBusiness Continuity Management System (BCMS)inspired byinternational best practicessuch asISO 22301and theProfessional Practicesof theDisaster Recovery Institute International (DRI). These frameworks provide a systematic approach to building, implementing and maintaining business continuity, helping to cover precisely the areas required by NIS2. In practice, companies can:

• Perform a Business Impact Analysis and Risk Assessment:identifying essential processes and services, critical support resources, and potential risks of disruption. ISO 22301, for example, requires conducting a BIA to identifytime-sensitiveprocesses and assess the impacts of a shutdown, as well as performing a related risk analysis. This includes assessing cyber and non-IT risks, and consideringcrisisscenariosboth internally and along the supply chain(as required by NIS2).
• Define continuity strategies and plans: based on the results of the BIA/risk assessment, develop countermeasures and solutions to keep the business operational even under adverse conditions. This includes business continuity plans for business processes and disaster recovery plans for supporting IT systems. The ISO 22301 standard emphasizes precisely the development ofdocumented plansto ensure continuity andrecovery within acceptable time targets. It is important that such plans cover not only the IT infrastructure, but also alternate sites, manual emergency procedures, replacement of critical suppliers or supplies, etc., in line with the “beyond IT” approach discussed above.
• Implement a crisis and communication structure: set up a crisis team and emergency management (crisis management) procedures that are activated immediately when needed. This fulfills thecrisis managementaspect mentioned in NIS2. Best practices such as those in DRI suggest definingroles and responsibilitiesin advance (e.g., command team, internal and external communication plans) to avoid confusion during an incident.
• Training and awareness: train staff on continuity plans and their role in the event of an adverse event. All stakeholders-not just IT, but business unit managers, critical suppliers, etc. – must be familiar with emergency procedures. NIS2 also requires basic cyber hygiene practices and security training, so integrating BC/DR training into corporate awareness programs increases overall readiness.
• Testing, drills and continuous improvement: an effective BCMS involvesperiodictesting (simulations, drills, recovery exercises) of plans to verify their effectiveness and updates based on results . For example, disaster recovery drills on IT systems, simulations of supply disruptions or blackouts to assess organizational response. DRI’sProfessional Practicesemphasize the importance of exercising and maintaining plans, as well as reviewing them regularly to close any gaps that emerge. This iterative process ensures that the company continually improves its resilience.

By following these practices, a company integrates Business Continuity into its NIS2 compliance plan ina concrete way.ISO 22301provides a certifiable framework for demonstrating robust business continuity processes (while not guaranteeing full NIS2 compliance by itself, it provides a solid foundation) . In parallel, adherence to DRI or similar guidelines ensures that no critical aspect is overlooked in the continuity program. Ultimately,implementing a comprehensive Business Continuity system-embracingtechnology, people, locations, andsuppliers-is not only useful but necessary for NIS2 compliance. It enables specific requirements (BC plans, supply chain resilience, crisis management, etc.) to be met while strengthening overallbusiness resilience. Organizations so prepared will be able toabsorb and overcomeeven the most serious incidents, ensuring continuity of essential services and protecting customers, partners and stakeholders-which is, after all, the primary goal of NIS2.