NIS2 Requirements for Operational Continuity and Resilience

The Network and Information Security 2 (NIS2) directive introduces stringent cyber risk management obligations and aims to enhance the business resilience of critical infrastructure in Europe. Specifically, the standard requires essential and important organizations to take technical and organizational measures to secure networks and information systems and to ensure continuity of services in the event of incidents. Among the key requirements stipulated (Art. 21) are:

• Risk analysis and information security policies, with anall-hazardsapproach that considers all relevant threats (cyber, physical, etc.) to systems and their operational environment.
• Incident management (incident handling), including procedures for detecting, responding to, and reporting significant incidents.
• Business Continuity and crisis management, such as through proper backup management and disaster recovery plans, to be able to restore critical functions after destructive events. Indeed, the directive requires the adoption of Business Continuity plans to ensure operations in the event of incidents, requiring critical processes to be mapped, plans to be tested regularly, and risks to be assessed along the supply chain.
• Supply chain security: security aspects related to critical (direct) suppliers and partners should be considered, assessing their vulnerabilities and reliability, as a cyber incident at a supplier can affect the company itself.

These measures all aim to minimize the impact of any incidents on recipients of essential services and society by elevating the organization’s resilience. In summary, NIS2 makes explicit the link to Business Continuity by recognizing it as a fundamental element of security: the ability to prepare for and respond to operational disruptions is an integral part of regulatory compliance.

Why Business Continuity must go beyond IT

Implementing Business Continuity from a NIS2 perspective means going beyond just IT systems continuity. Historically, many companies have focused on IT disaster recovery, but NIS2 shifts the focus to the continuity of the company’s operational processes as a whole. In other words, the “point of focus” is not just to restore servers and data, but to ensure that processes essential to delivering products and services can continue even during severe incidents. This requires a holistic approach: for example, an IT disaster recovery plan alone “makes little sense” if recovery requirements have not been defined based on the needs of the business processes supported by the systems.

For this, the first step is to conduct a Business Impact Analysis (BIA): an impact analysis that assesses the consequences of downtime for individual business processes and identifies which functions should be restored as a priority. The BIA helps define the company’s downtime tolerance, taking into account not only internal economic losses but also external impacts (social, customer or territorial) that NIS2 urges to mitigate. Crucially, through the BIA, the company identifies critical dependencies: resources necessary for processes to function, ranging from personnel, locations and raw materials to external services and strategic suppliers. This mapping of dependencies highlights weak points where a failure or disruption (not only IT, but also logistics, energy, etc.) could halt operations.

NIS2 places special emphasis precisely on dependencies on critical suppliers: a cyber attack or major malfunction at a supplier can disrupt the provision of essential goods/services and thus impact the continuity of the obligated business. Not surprisingly, the directive requires each direct supplier to be assessed in terms of risk. For example, an essential manufacturing company will need to consider what would happen if its supplier of key components were affected, preparing countermeasures (alternative suppliers, stockpiles, etc.). Similarly, a hospital included in NIS2 cannot just protect its servers: it must ensure that its providers of digital services, energy, medical equipment, etc., also have adequate continuity plans. In essence, to be NIS2 compliant , business continuity must be extended to the entire organization and supply chain, not just ICT. After all, the directive applies to the entire organization, requiring all areas supporting critical services to be protected, including functions such as logistics, human resources and supply chain. This all-pervasive approach ensures complete business resilience: the company becomes capable of absorbing and overcoming operational shocks because it has considered every indispensable element of its business in advance.

Integration of Business Continuity into NIS2 Compliance Plans.

To meet NIS2 requirements, companies should integrate Business Continuity into their compliance and security management programs. One effective way is to adopt a Business Continuity Management System (BCMS) inspired by international best practices such as ISO 22301 and the Professional Practices of the Disaster Recovery Institute International (DRI). These frameworks provide a systematic approach to building, implementing and maintaining business continuity, helping to cover precisely the areas required by NIS2. In practice, companies can:

• Perform a Business Impact Analysis and Risk Assessment: identifying essential processes and services, critical support resources, and potential risks of disruption. ISO 22301, for example, requires conducting a BIA to identify time-sensitive processes and assess the impacts of a shutdown, as well as performing a related risk analysis. This includes assessing cyber and non-IT risks, and considering crisis scenarios both internally and along the supply chain (as required by NIS2).
• Define continuity strategies and plans: based on the results of the BIA/risk assessment, develop countermeasures and solutions to keep the business operational even under adverse conditions. This includes business continuity plans for business processes and disaster recovery plans for supporting IT systems. The ISO 22301 standard emphasizes precisely the development of documented plans to ensure continuity and recovery within acceptable time targets. It is important that such plans cover not only the IT infrastructure, but also alternate sites, manual emergency procedures, replacement of critical suppliers or supplies, etc., in line with the “beyond IT” approach discussed above.
• Implement a crisis and communication structure: set up a crisis team and emergency management (crisis management) procedures that are activated immediately when needed. This fulfills the crisis management aspect mentioned in NIS2. Best practices such as those in DRI suggest defining roles and responsibilities in advance (e.g., command team, internal and external communication plans) to avoid confusion during an incident.
• Training and awareness: train staff on continuity plans and their role in the event of an adverse event. All stakeholders-not just IT, but business unit managers, critical suppliers, etc. – must be familiar with emergency procedures. NIS2 also requires basic cyber hygiene practices and security training, so integrating BC/DR training into corporate awareness programs increases overall readiness.
• Testing, drills and continuous improvement: an effective BCMS involves periodic testing (simulations, drills, recovery exercises) of plans to verify their effectiveness and updates based on results . For example, disaster recovery drills on IT systems, simulations of supply disruptions or blackouts to assess organizational response. DRI’s Professional Practices emphasize the importance of exercising and maintaining plans, as well as reviewing them regularly to close any gaps that emerge. This iterative process ensures that the company continually improves its resilience.

By following these practices, a company integrates Business Continuity into its NIS2 compliance plan in a concrete way. ISO 22301 provides a certifiable framework for demonstrating robust business continuity processes (while not guaranteeing full NIS2 compliance by itself, it provides a solid foundation) . In parallel, adherence to DRI or similar guidelines ensures that no critical aspect is overlooked in the continuity program. Ultimately, implementing a comprehensive Business Continuity system-embracing technology, people, locations, and suppliers-is not only useful but necessary for NIS2 compliance. It enables specific requirements (BC plans, supply chain resilience, crisis management, etc.) to be met while strengthening overall business resilience. Organizations so prepared will be able to absorb and overcome even the most serious incidents, ensuring continuity of essential services and protecting customers, partners and stakeholders-which is, after all, the primary goal of NIS2.