BCM under NIS2: Build Business Continuity Management (2026)

· Category: NIS2 · Reading time: 4 min · As of 2026-05-02
Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

  • Section 30 BSIG (German Cybersecurity Act), para. 2 no. 5 requires continuity of operations including backup management, recovery, and crisis management
  • BIA output: critical business processes plus RTO/RPO targets and dependency map
  • Emergency plan: crisis team, escalation paths, contact lists, rollback procedures
  • ISO 22301 as best practice (not mandatory under NIS2)
  • Minimum cadence: annual tabletop exercise plus a live test every 2 years

1. Legal basis: NIS2 and ISO 22301

Section 30, para. 2 no. 5 BSIG requires "continuity of operations, including backup management and recovery, as well as crisis management." This is operationalized by BSI Standard 200-4 and the ENISA "Risk Management Guidelines for NIS2 Entities" (October 2024). NIS2 itself does not mandate ISO 22301 certification, but supervisory authorities expect equivalent structures.

2. Business Impact Analysis (BIA)

  1. Build an inventory of business processes.
  2. Score each process for criticality (financial, reputational, legal).
  3. For each critical process, document the IT dependencies.
  4. For each IT system, define the maximum tolerable period of disruption (MTPD).
  5. Derive RTO and RPO targets from MTPD.

3. Define RTO and RPO

ProcessRTO (max. outage)RPO (max. data loss)Implementation
Online shop1 h15 minHA cluster + real-time replication
ERP / payroll4 h1 hHot standby + backups
Email4 h15 minMicrosoft 365 geo-redundancy
HR software24 h4 hDaily cloud backup
Intranet72 h24 hWeekly tape backup

4. Emergency plan and crisis team

5. Disaster recovery

6. 8-week SME roadmap

WeekActivity
1-2Appoint BCM officer; run BIA
3Set RTO/RPO per process
4-5Emergency plan, crisis team, contact lists
6DR concept and backup test
7Tabletop exercise with crisis team
8Lessons learned and plan update

7. Fines and management liability

Section 60 BSIG sets fines up to EUR 10 million or 2% of global revenue. In practice, an active incident without a BCM plan triggers significant fines plus management liability under Section 38 BSIG. BCM is one of the few NIS2 measures that auditors can verify in minutes by asking for the latest tabletop minutes.

Summary

BCM under NIS2 is not an IT topic alone. It is a management system that combines BIA, RTO/RPO, emergency response, and disaster recovery. The 8-week roadmap above takes an SME from zero to a defensible BCM program. Document the tabletop and you are audit-ready.

View NIS2 Kit →

Frequently Asked Questions

What is the difference between BCM and DR?
BCM = overarching management system for business continuity. DR = technical recovery of IT. BCM includes DR plus personnel, premises, suppliers, communication.
How do I define RTO and RPO?
RTO (Recovery Time Objective) = how long may the system be down? RPO (Recovery Point Objective) = how much data loss is acceptable? Individually defined per critical system, based on BIA.
Which standard?
ISO 22301 is the gold standard. NIS2 does NOT require certification, but equivalent structures. BSI-Standard 200-4 is the German counterpart.
Who handles BCM in SMEs?
Ideally a BCM officer (may also be the IT security officer). The managing director is liable (Section 38 BSIG (German IT Security Act)).
How often should emergency exercises be conducted?
At least one tabletop exercise per year, a live test of a critical application every 2 years. A lessons-learned workshop after every incident.
Fine risk for BCM violations?
Section 60 BSIG: up to EUR 10 million / 2% of global revenue. In practice: in an acute incident without a BCM plan, significant fines plus managing director liability.

Sources

Related