Contents
(Overall) business continuity policy (incl. BIA)
Purpose of the Requirement
The requirement ensures that financial entities maintain a comprehensive, integrated, and resilience-focused business continuity policy capable of managing severe business disruptions affecting ICT and non-ICT operations.
It mandates that ICT business continuity arrangements form an integral part of the entity’s overall business continuity policy, and that a structured, data-driven Business Impact Analysis (BIA) determines the criticality, interdependencies, and recovery needs of all business functions, processes, information assets, ICT assets, and third-party services.
The purpose is to ensure the continuity of critical or important functions in line with defined RTO/RPO requirements and the entity’s resilience expectations, regulatory obligations, and risk tolerance.
Scope of Application
The requirement applies to all financial entities, with proportionality for microenterprises.
The overall business continuity policy must cover:
- all business functions and support processes,
- ICT assets and ICT services,
- critical or important functions,
- intragroup and external ICT and non-ICT third-party dependencies,
- data centres, communication infrastructure, and key personnel,
- cross-border operations and interdependencies.
The BIA must cover the entire operating model, including:
- business processes and workflows,
- information assets and data categories,
- ICT assets and supporting infrastructure,
- external providers and critical utilities,
- legal, regulatory, and customer-impact dimensions.
Mandatory Components
Comprehensive ICT Business Continuity Policy within the Overall Business Continuity Framework
Under Article 11(1), the entity must maintain a comprehensive ICT business continuity policy that:
- is either integrated into or adopted as a dedicated part of the overall business continuity policy;
- is grounded in the requirements of the ICT risk management framework (Article 6(1));
- reflects the asset classification and mapping required under Article 8 DORA;
- describes objectives, roles, responsibilities, governance, processes, mechanisms, criteria for activation, and integration with crisis communication plans.
The policy must ensure the availability, integrity, and continuity of ICT systems supporting all functions, with prioritisation for critical or important functions.
Business Impact Analysis (BIA)
Article 11(5) requires the entity to conduct a structured and comprehensive BIA that:
- assesses the impact of severe business disruptions using quantitative and qualitative criteria;
- uses internal and external data, historical incidents, and scenario analysis;
- evaluates direct and indirect impact dimensions (e.g., financial loss, legal/regulatory impact, customer detriment, reputational damage);
- identifies criticality and risk exposure of business functions, support processes, information assets, ICT assets, and third-party dependencies;
- maps interdependencies, including upstream and downstream processes, ICT components, and data flows;
- establishes RTO (Recovery Time Objective) and RPO (Recovery Point Objective) requirements for critical or important functions;
- assesses whether current ICT systems, infrastructure, and services meet the redundancy and resilience requirements derived from the BIA.
Alignment of ICT Architecture, Assets, and Services with the BIA
Financial entities must ensure that:
- ICT assets and ICT services are designed and operated in full alignment with the results of the BIA;
- redundancy requirements derived from the BIA (e.g., failover capabilities, backup infrastructure, mirrored environments, network diversity) are implemented;
- configurations, architectures, and dependencies do not introduce single points of failure inconsistent with the BIA results;
- third-party ICT services (including cloud and intragroup shared services) meet the resilience levels required by the entity’s BIA and regulatory obligations.
Integration with ICT Response, Recovery, and Crisis Communication
The overall business continuity policy must be:
- aligned with ICT response and recovery plans (Article 11(3)),
- integrated with crisis communication plans (Article 14),
- harmonised with ICT business continuity arrangements defined in RTS RMF Articles 24–26,
- consistent with governance and organisational responsibilities under Article 5(2)(e) DORA.
The policy must provide a unified framework for activation and escalation across ICT and non-ICT disruptions.
Interdependencies with Other DORA Requirements
The overall business continuity policy, including the BIA, is tightly linked to:
- ICT risk identification and classification (Article 8)
- ICT risk management strategy (Article 6(8))
- ICT response and recovery planning (Article 11(2)–(4))
- Backup, restoration, and recovery procedures (Article 12)
- Crisis communication (Article 14)
- ICT-related incident detection and management (Articles 10 and 17)
- ICT third-party risk management and exit strategies (Article 28)
- Digital operational resilience testing (Articles 24–26)
- Annual management body review (Article 6(5))
The BIA serves as the central analytical tool underpinning continuity requirements, resilience testing scenarios, redundancy design, and dependency oversight.
Documentation Requirements
Financial entities must document:
- the overall business continuity policy, including the ICT business continuity annex or dedicated policy;
- the full BIA methodology, data sources, assumptions, scenarios, and evaluation criteria;
- the criticality assessment of functions and processes;
- mapping of ICT assets, information assets, and dependencies;
- defined RTO/RPO values and justification;
- results of scenario analyses and quantitative/qualitative impact metrics;
- architectural and redundancy requirements derived from the BIA;
- periodic reviews, updates, and versioning;
- links to ICT response and recovery plans and crisis communication plans.
Documentation must allow supervisory authorities to verify that the policy is comprehensive, consistent, and effectively implemented.
Governance and Oversight
Under Article 5(2)(e), the management body must:
- approve the ICT business continuity policy and ensure its integration into the overall business continuity policy;
- oversee and periodically review the implementation and adequacy of the policy and associated ICT response and recovery plans;
- ensure that the BIA is conducted thoroughly, updated periodically, and used to determine resilience requirements;
- ensure that sufficient human, technical, and financial resources support continuity, redundancy, and recovery capabilities;
- verify that third-party dependencies and ICT services supporting critical or important functions meet resilience expectations;
- ensure that BCP-related assumptions, findings, and exposures escalate through appropriate governance channels.
The governance model must reflect the three-lines-of-defence structure and require independent internal audit review where applicable.