NIS2: How to Maintain Operations if a Crisis Strikes

By 2025, companies must comply with the requirements of the EU NIS2 directive. Here, DBI (Danish Institute of Fire and Security Technology) explains how to meet these requirements and what Business Continuity Management (BCM) involves.

What is Business Continuity Management about?

The NIS2 directive aims to strengthen cybersecurity in critical societal sectors, with a portion dedicated to incident prevention. Business Continuity Management (BCM), however, focuses on ensuring that operations can continue even if an incident occurs. The goal is to minimize the disruption to operations caused by such an event, ensuring a swift return to normal functionality.

Since NIS2 focuses on cyber and information security, BCM primarily revolves around Backup Management and Disaster Recovery. The former concerns rapid restoration of data, while the latter deals with quickly restoring IT systems. For critical societal functions, this might involve IT systems essential to the operation of a utility company, for example.

Why is this part of NIS2?

BCM is included in NIS2 because critical infrastructure is increasingly reliant on IT systems, data, and digital services, making disruptions potentially far-reaching. For instance, it could be disastrous if a combined heat and power plant’s district heating pumps fail or if hospital staff lose access to patient records.

How should companies address Business Continuity Management?

1. Start with a Business Impact Analysis (BIA):
   Conduct a thorough assessment of how various incidents could impact operations. Identify the most critical functions to protect. This includes defining the Maximum Tolerable Downtime (MTD) for each critical function, which helps prioritize recovery efforts.
2. Develop Backup Management and Disaster Recovery Plans:
   Create detailed plans that not only address IT infrastructure but also account for human resources, physical locations, and third-party services. These plans should be reviewed regularly to reflect changes in organizational structure, technology, and external threats.
3. Regular Training and Simulation Exercises:
   Test recovery plans through drills and simulations to ensure effectiveness and preparedness. These exercises reveal weaknesses in the plans and provide personnel with hands-on understanding of procedures.
4. Clear Communication Strategies:
   Develop both internal and external communication strategies. Internally, ensure employees understand their roles during a crisis. Externally, maintain trust by being transparent about disruptions and recovery efforts with customers, partners, and the public.

Key Elements of a BCM Plan for NIS2 Compliance

• Detailed Recovery Strategies for Critical Functions:
  Include specific targets, such as Recovery Time Objectives (RTO) (the time needed to restore a function) and Recovery Point Objectives (RPO) (the point in time when recovery should begin) to minimize downtime and data loss.
• Plans for Managing Critical Vendors and Third-Party Services:
  Evaluate how incidents at vendors may affect the organization and create strategies to mitigate these risks, such as diversifying suppliers or strengthening partnerships.
• Cyber Resilience and Security Measures:
  Include actions to bolster cybersecurity, such as ongoing risk assessments, updated security protocols, and employee training on cybersecurity best practices.
• Regular Reviews and updates of BCM Plans:
  Implement a process to continuously evaluate and update BCM plans to ensure they remain effective and relevant in light of new threats, technological advancements, and business developments.

What pitfalls should you be aware of?

• Resource Demands:
  Developing and maintaining a comprehensive BCM strategy can be resource-intensive. Start by focusing on the most critical elements and gradually expand the plans.
• Lack of Management Support:
  Without strong leadership backing, BCM initiatives may lack the necessary resources and attention.
• Employee Resistance to Change:
  Employees may resist new procedures. Consistent communication, training, and involving them in the development of BCM plans can foster understanding and build a positive, resilient culture.