Contents

ICT business continuity plans (ICT BCP)

ICT business continuity plans (ICT BCP)

Purpose and Scope

Financial entities must establish, maintain, and regularly test ICT Business Continuity Plans (ICT BCP)—a core component of the ICT risk management framework under Article 6(1) DORA.

The ICT BCP ensures the continuity of ICT services and the preservation of the entity’s ability to deliver critical or important functions during and after severe disruptions. It reflects:

the results of the Business Impact Analysis (BIA) under Article 11(5) DORA,
the digital operational resilience objectives,
dependencies on ICT infrastructure, third-party providers, and critical information assets.

The BCP must apply to all ICT systems supporting all functions, with enhanced resilience for systems supporting critical or important functions.

Mandatory Testing Requirements (Article 11(6)(a)–(b) DORA)

Annual Testing and Testing Following Substantive Changes

Financial entities must test:

ICT business continuity plans, and
ICT response and recovery plans

at least once a year, and additionally:

upon any substantive change to ICT systems that support critical or important functions.

Crisis Communication Plan Testing

Entities must test the crisis communication plans established under Article 14 DORA as part of the yearly continuity testing cycle.

Required Testing Scenarios (for all except microenterprises)

Testing must include:

cyber-attack scenarios,
switchover from primary ICT infrastructure to redundant capacity,
failover to backups and redundant facilities necessary to meet Article 12 DORA obligations.

Testing must reflect realistic, severe but plausible conditions.

Review and Continuous Improvement

ICT business continuity policy, ICT BCP, and ICT response and recovery plans must be:

regularly reviewed,
considering results of BCP testing,
and incorporating recommendations from audit checks or supervisory reviews.

Mandatory Components of the ICT Business Continuity Policy (Article 24 RTS RMF)

Descriptive Components (Article 24(1)(a))

The ICT business continuity policy must contain:

(i) Policy Objectives

Objectives of ICT business continuity,
Relationship between ICT continuity and overall business continuity,
Consideration of BIA outcomes.

(ii) Scope

Coverage of ICT continuity arrangements, plans, procedures, and mechanisms,
Explicit limitations and exclusions.

(iii) Timeframe of Coverage

Time horizon for ICT continuity measures (short-term, medium-term, long-term).

(iv) Activation and Deactivation Criteria

Documented criteria governing:

activation of ICT BCP,
activation of ICT response and recovery plans,
activation of crisis communication plans,
deactivation and transition back to normal operations.

Governance and Organisational Provisions (Article 24(1)(b))

(i) Governance Structure

roles and responsibilities,
escalation procedures,
resource allocation (human, technical, financial).

(ii) Alignment with the Overall Business Continuity Plan

ICT BCP must be aligned with the overall BCP with respect to:

Potential failure scenarios, including those under Article 26(2) RTS RMF;
Recovery objectives, explicitly:
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
  for critical or important functions.

(iii) Risk-Based Prioritisation

development of ICT BCP using a risk-based approach,
prioritisation of actions for severe disruptions.

(iv) Development, Testing, and Review of ICT Response and Recovery Plans

Must reflect Articles 25 and 26 RTS RMF.

(v) Review of Continuity Effectiveness

procedures for recurring review,
assessment of effectiveness based on exercises, incidents, and monitoring results.

(vi) Alignment with Communication Policies

ICT BCP must align with:

Article 14(2) DORA communication policies (staff & stakeholders),
Article 11(2)(e) DORA crisis communication arrangements.

Additional Requirements for CCPs, CSDs, and Trading Venues (Article 24(2)–(4))

While not applicable to all financial entities, the RTS imposes sector-specific obligations:

Central Counterparties (CCPs)

Max RTO for critical functions: ≤ 2 hours.
Consider interdependencies in infrastructure ecosystems.
Maintain:
- secondary processing site identical to primary,
- secondary business site,
- arrangements for disaster scenarios,
- potential additional processing sites if risk diversification is insufficient.

Central Securities Depositories (CSDs)

RTO for critical or important functions: ≤ 2 hours.
Must incorporate dependencies on users, utilities, CSDs, and infrastructures.

Trading Venues

Resume trading within or close to 2 hours after disruption.
Maximum data loss after disruption: close to zero.

Testing Requirements under Article 25 RTS RMF

Testing must confirm the entity’s ability to ensure continuity of critical or important functions. The testing program must:

Basis (Article 25(1))

Consider:

Business Impact Analysis (BIA),
ICT risk assessment under Article 3 RTS RMF.

Test Design (Article 25(2))

Testing must:

(a) Use severe but plausible scenarios

Including disruptions defined in the BCP.

(b) Include ICT services provided by ICT third-party service providers

Consider:

insolvency scenarios,
service provider failure,
political risk affecting provider jurisdiction.

(c) Include switchover scenarios

(from primary to redundant infrastructure, backups, and facilities).

(d) Challenge assumptions

Including:

governance arrangements,
crisis communication plans.

(e) Verify ability of staff, systems, services, and third parties to respond

Aligned with disruption scenarios under Article 26(2).

Sector-Specific Testing for CCPs and CSDs (Article 25(3)–(4))

Testing must involve:

clearing members,
users,
critical service providers,
external providers,
interconnected infrastructures,
other CSDs or CCPs as applicable.

Documentation and Remediation (Article 25(5))

Entities must:

document test results,
analyse deficiencies,
remediate deficiencies,
report them to the management body.

Article 11 (6)(a) DORA

Article 11 DORA – Response and recovery

Article 24 and 25 RTS RMF

RTS RMF