Do you have backups + disaster recovery + crisis management capability (Art 21.2.c)?
Demonstrate that the organization maintains documented, tested, and operationally ready backup systems, disaster recovery procedures, and crisis management structures capable of preserving data, restoring critical functions, and coordinating incident response in compliance with NIS2 Article 21.2(c) requirements.
Description
What this control does
This control mandates the implementation of three interconnected capabilities as required by NIS2 Article 21.2(c): backup systems to preserve data integrity and availability, disaster recovery procedures to restore critical operations after disruptive incidents, and crisis management structures to coordinate organizational response during active cyber incidents or operational failures. The control ensures business continuity through tested technical redundancy (backups), documented recovery workflows (DR), and governance frameworks (crisis management) that enable rapid escalation, decision-making, and communication. NIS2 specifically requires these capabilities to be documented, regularly tested, and proportionate to the entity's risk profile and criticality.
Control objective
What auditing this proves
Demonstrate that the organization maintains documented, tested, and operationally ready backup systems, disaster recovery procedures, and crisis management structures capable of preserving data, restoring critical functions, and coordinating incident response in compliance with NIS2 Article 21.2(c) requirements.
Associated risks
Risks this control addresses
- Ransomware or destructive malware rendering production systems and accessible backups simultaneously unusable due to inadequate air-gapping or immutability controls
- Extended service outages exceeding recovery time objectives when disaster recovery plans are untested, outdated, or lack critical infrastructure dependencies
- Data loss beyond recovery point objectives due to backup failures, corruption, or insufficient retention policies
- Disorganized crisis response causing delayed containment, ineffective stakeholder communication, and regulatory notification failures during active cyber incidents
- Inability to restore operations after physical disasters, cloud provider failures, or supply chain disruptions due to single points of failure in recovery architecture
- Legal and regulatory penalties under NIS2 for failure to implement mandatory business continuity measures
- Reputational damage and customer attrition when critical services remain unavailable beyond acceptable timeframes
Testing procedure
How an auditor verifies this control
- Obtain and review the documented backup policy including scope, frequency, retention periods, storage locations, encryption requirements, and responsibilities
- Obtain and review the disaster recovery plan documenting recovery procedures, RTO/RPO definitions, system dependencies, failover sequences, and contact information
- Obtain and review the crisis management framework including escalation matrices, decision-making authorities, communication templates, and regulatory notification procedures
- Verify backup implementation by examining configuration exports from backup systems showing scheduling, versioning, immutability settings, and off-site/air-gapped storage
- Sample recent backup logs and restoration test records to confirm backups execute successfully, are restorable, and meet documented RPO requirements
- Review disaster recovery test reports from the past 12 months documenting test scenarios, participant roles, recovery durations, gaps identified, and remediation actions
- Interview crisis management team members to verify awareness of roles, validate availability of communication tools during crises, and confirm understanding of escalation thresholds
- Trace a critical system through all three capabilities: verify its inclusion in backup scope, presence in DR runbooks with specific recovery steps, and representation in crisis scenario documentation