NIS 2 business continuity under Article 21(2)(c)
NIS 2 says you must keep operations running and recover when something breaks. Article 21(2)(c) is the duty. CIR (EU) 2024/2690 §4 spells out the BCP, the backup plan, and the crisis procedure. Germany puts it into §30(2)(3) BSIG.
The short version
Business continuity sits at point (c) on the Article 21(2) list. The directive bundles three things together: keep the business running, manage your backups and recovery, and run crisis management. If NIS 2 applies to you, you have to do all three.
CIR (EU) 2024/2690 §4 breaks the same duty into three subsections. §4.1 is the business continuity plan itself, with an eight-point content list. §4.2 is backup and redundancy, with a six-point plan plus integrity tests. §4.3 is the crisis management procedure, including how you talk to the regulator. If you run DNS, cloud, a data centre, an MSP, trust services or any other sector in the CIR Annex, this binds you directly.
Germany puts the same rule into national law through §30(2)(3) BSIG. The wording follows the directive. This page walks the directive, the EU follow-up regulation, and the German transposition in that order.
Article 21(2)(c) NIS 2 Directive (2022/2555)
Business continuity, such as backup management and disaster recovery, and crisis management.
Point (c) on the list of ten cybersecurity measures every essential and important entity has to put in place. One line, three duties bundled.
CIR (EU) 2024/2690, Annex §4
Business continuity and crisis management (Article 21(2)(c) of Directive (EU) 2022/2555).
Because this is a regulation (not a directive), it is directly binding EU law. The CIR splits §4 into three subsections: §4.1 the business continuity and disaster recovery plan, §4.2 backup and redundancy management, §4.3 the crisis management procedure. It applies directly to DNS providers, TLD registries, cloud and data centre providers, MSPs and the other sectors listed in its Annex.
§30(2)(3) BSIG (Germany)
Business continuity, such as backup management and disaster recovery, and crisis management.
Germany copies the directive wording. The BSI's Infopakete lists business continuity as one of the ten Article 21(2) measures every essential and important entity has to cover.
Business continuity and disaster recovery plan
A written plan with eight points: purpose and scope, roles and responsibilities, contact list, the conditions that trigger activation, the recovery sequence, the recovery plan for each critical process, the resources you need, and how you restart and resume normal operations. Not three sentences in a Word doc. A real document people can follow when the network is down and the phones are ringing.
Backup and redundancy management
A six-point backup plan: target recovery times, backup completeness, off-site storage, physical and logical access controls, the recovery procedure itself, and retention periods. Plus periodic integrity tests so you find out before the incident whether the backups actually restore. Plus redundancy (N+1) for assets, personnel and communication channels.
Crisis management procedure
A written procedure with named roles, a communication channel to the competent authority, a way to maintain security during the crisis, and the list of mandatory communications, including the incident reports under Article 23. Crisis management is not 'we get on a call'. It is who is on the call, what they decide, and who they tell.
Backup is governance, not just IT
The §4.2 backup plan is auditable paperwork, not a checkbox in your backup tool. Retention periods get signed off. Off-site storage location gets documented. Recovery times get set against the business, not against what the tool can do. If your backup story lives entirely inside the IT team, you are missing the governance layer the CIR asks for.
Test on a cadence, not 'when we get time'
§4.1 expects the BCP to be tested periodically. §4.2 expects backup integrity tests on a cadence. An untested BCP is paper. An untested backup is a hope. Once a year for the BCP tabletop, more often for backup restore tests. Document the test, document what failed, document what you fixed.
BSI / IT-Grundschutz DER.4
The BSI lists business continuity as one of the ten Article 21(2) measures (see §30(2)(3) BSIG) and points at IT-Grundschutz Baustein DER.4 'Notfallmanagement' as the practical route. DER.4 covers the full continuity lifecycle: BIA, BCP, recovery plans, tests, sign-off. If you follow DER.4 end to end you are well past the CIR §4 floor.
ENISA Technical Implementation Guidance
ENISA's TIG turns CIR §4 into concrete steps and maps it onto ISO/IEC 27001:2022 (clauses around A.5.29, A.5.30, A.8.13, A.8.14) and NIST CSF 2.0 (Recover function). If you already run ISO 27001 or NIST CSF, the TIG tells you what you can reuse and what still has gaps.
National transposition laws
Every member state has its own transposition (Netherlands: Cyberbeveiligingswet, Austria: NISG, Belgium: NIS2-Wet). The continuity duty is the same because the directive sets one EU-wide standard. What differs: which national authority you notify in a crisis, and on what channel.
We have backups on tape, so we are fine.
Backups are not enough. CIR §4.2 wants the full six-point plan documented: target recovery times, completeness, off-site storage, access controls, recovery procedure, retention periods. Plus periodic integrity tests. A tape rotation without the written plan is half the requirement.
BCP is the IT team's problem.
It is not. §4.3 explicitly covers crisis management with the executive layer: communication channels with the competent authority, the mandatory incident reports under Article 23, decisions about which services to maintain and which to suspend. That is a management duty, not an IT duty.
We'll figure it out in a crisis.
You will not. §4.3 requires a written crisis procedure with named roles and pre-defined communication channels. The point of writing it down beforehand is that you are not making it up at 3 a.m. on a Sunday. An auditor will ask for the document. 'We have good people' is not the document.
What we see in practice: most Mittelstand companies have backups. Tape, cloud, second site, something. What they almost never have is the documented §4.2 plan around those backups: recovery time targets set against the business, retention periods signed off, off-site storage location named, integrity tests on a calendar. The backups exist. The governance does not.
Two steps that get the job done: first, write the §4.1 BCP. Use the eight-point list from the CIR as your table of contents. Second, run the test once a year. A tabletop exercise where the management team works through the BCP for a real scenario beats six months of polishing the document. The test is what produces the audit evidence.
We built CIR §4 into the platform as a module. The BCP form captures the eight content fields from §4.1. The backup form captures the six points from §4.2 plus the test schedule. The crisis procedure form captures the §4.3 roles, channels and Article 23 communication paths. Sign-off lives next to each artefact.
The test cadence lives on the platform too. You schedule the annual BCP tabletop and the quarterly backup restore tests, the platform reminds the owner, the owner records the result, and the audit trail shows when it ran and what happened. No separate calendar, no separate document store.
- Directive (EU) 2022/2555 (NIS 2), Article 21(2)(c) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex §4 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §30(2)(3) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- BSI IT-Grundschutz Baustein DER.4 'Notfallmanagement' — bsi.bund.de/grundschutz
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 (as of May 2026)