NIS2 Disaster Recovery Plan: Template + RTO/RPO

Q: What does NIS2 require for the disaster recovery plan?

Article 21(2)(c) NIS2 Directive and Section 30(2) no. 3 BSIG require measures for 'business continuity, such as backup management and disaster recovery, and crisis management'. A documented disaster recovery plan with RTO/RPO is mandatory.

Q: What is the difference between DR plan and BCM plan?

BCM (Business Continuity Management) is the higher-level business-continuity view: which critical business processes to recover at which priority. DR (Disaster Recovery) is the technical implementation: how systems, data and infrastructure are concretely restored. BCM defines the 'what', DR the 'how'.

Q: Which RTO/RPO values are appropriate?

Per service class: Tier 1 (business-critical) RTO <= 4h / RPO <= 15min, Tier 2 (important) RTO <= 24h / RPO <= 4h, Tier 3 (standard) RTO <= 72h / RPO <= 24h, Tier 4 (non-critical) RTO <= 1 week / RPO <= 1 week. Concrete values emerge from the business impact analysis per process.

Q: How often must the DR plan be tested?

Recommended: quarterly partial tests (e.g. backup-restore test, failover of a service), annual full scenario with crisis team. KRITIS face stricter sector-specific requirements. Tests must be documented in minutes with findings and corrective actions.

Q: Is a cloud backup sufficient as a DR strategy?

No. Cloud backup is a building block, not a DR plan. It lacks: crisis-team activation, communications plan, RTO fulfilment (restore from cloud can take days at large volumes), emergency workplaces, supplier escalation. Cloud backup belongs in the DR plan as a technical measure but does not replace it.

Q: How do I integrate ransomware recovery into the DR plan?

Ransomware is its own scenario in the DR plan. Specifics: immutable backups as recovery source (non-infectable), forensic preservation before recovery, crisis communications with supervisor and possibly law enforcement, recovery sequence by risk, lessons learned from the incident. Cross-reference: article on Ransomware Recovery 72h Plan.

Q: Must the DR plan also cover cloud services?

Yes. Cloud hyperscalers have very high availability, but outages occur (AWS us-east-1, Azure, Microsoft 365 Teams). The DR plan must contain scenarios for cloud outages: alternative region/provider, local backup copies, offline working capability for critical functions, contractual damages provisions pre-checked.

May 17, 2026· Category: NIS2· As of: 2026-05-17· Reading time: ~9 min

Practitioner note: This is not legal advice. For binding statements consult a qualified attorney or compliance officer.

A disaster recovery plan (DR plan) is one of the central mandatory documents under NIS2. Article 21(2)(c) NIS2 Directive requires measures for "business continuity, such as backup management and disaster recovery, and crisis management". Section 30(2) no. 3 BSIG transposes this. NIS2 compliance is not possible without a DR plan. This guide shows the required structure, five typical scenarios, RTO/RPO values per service class, and test frequency.

TL;DR

Mandatory under Article 21(2)(c) NIS2 Directive and Section 30(2) no. 3 BSIG
DR plan building blocks: activation, scenarios, RTO/RPO, roles, communications, recovery, tests
5 typical scenarios: ransomware, data-centre outage, cloud outage, insider, natural event
RTO/RPO 4-tier scheme: Tier 1 (4h/15min) to Tier 4 (1 week)
Tests: quarterly partial tests + annual full scenario with crisis team

1. What NIS2 Art. 21(2)(c) and Section 30(2) no. 3 BSIG require

Article 21(2)(c) of the NIS2 Directive reads: "business continuity, such as backup management and disaster recovery, and crisis management". Section 30(2) no. 3 BSIG transposes this in substance.

Concretely this means three mandatory building blocks:

Backup management: documented strategy, regular backups, verifiable restore
Disaster recovery: technical and organisational procedures for recovery
Crisis management: crisis team, communications, decision and escalation paths

The DR plan is the operational implementation of these three blocks. It is flanked by the BCM plan (strategic business continuity), backup concept (technical backup strategy) and incident response plan (incident handling). Cross-reference: BCM Business Continuity under NIS2.

Interplay with DORA and sector-specific requirements

Banks and financial-services firms are additionally subject to DORA (Regulation (EU) 2022/2554) with its own ICT risk-management requirements. Hospitals have additional rules from the German KHZG. Energy suppliers must meet Section 11 EnWG and the IT-Security Catalogue. The DR plan is the common foundation; sector specifics are covered additively.

2. DR plan structure

An audit-grade DR plan contains the following sections:

Section 1: Scope and activation

Which systems, processes, sites are covered?
Who activates the plan (crisis team, IT leadership, management)?
Activation criteria: measurable thresholds (e.g. "outage > 4h", "confirmed data exfiltration", "encrypted servers > 5")
Alerting procedure: 24/7 hotline, escalation phone tree

Section 2: Roles and responsibilities

Crisis team: lead, deputy, members, availability
IT recovery team: owners per system cluster
Communications owners (internal / supervisor / customers / media)
External partners: IT forensics, law firm, PR agency, cyber insurer

Section 3: Scenarios

Per scenario: trigger, impact, immediate measures, recovery approach, special requirements.

Section 4: RTO/RPO matrix

Per service/application: tier classification, RTO, RPO, dependent systems, recovery sequence.

Section 5: Recovery procedures

Technical procedures (restore scripts, failover procedures, cloud failover)
Dependency sequence (DNS → AD → database → application)
Validation tests post-recovery
Handover to normal operations

Section 6: Communications

Internal communications: staff, works council
Supervisory authorities: BSI 24h/72h/1M under Article 23 NIS2 Directive and Section 32 BSIG (cross-reference: NIS2 reporting channels)
Customers and contractual partners
Media, public (for major incidents)
Pre-prepared holding statements

Section 7: Tests and exercises

Test plan with frequency per scenario
Test record template
Findings tracking and corrective-action plan

Section 8: Maintenance and updates

Review cycle (at least annual)
Triggers for event-driven updates
Owner for maintenance

3. 5 typical scenarios in detail

Scenario 1: Ransomware attack

Trigger: encryption of critical systems, often combined with data exfiltration
Impact: production/business standstill, reputational damage, possible ransom demand
Immediate measures: activate crisis team, isolate infected systems (network disconnection, do not power off — forensics!), engage IT forensics, BSI notification within 24h
Recovery strategy: restore from immutable backups, NOT from potentially infected snapshots
Specifics: ransom policy predefined (ENISA recommendation: do not pay, but document in DR plan), report to law enforcement

Details: Ransomware Recovery 72h Plan.

Scenario 2: Data-centre outage

Trigger: fire, power outage exceeding UPS capacity, water, cooling failure, physical damage
Impact: complete outage of locally hosted systems
Immediate measures: activate failover to secondary DC, inform staff, notify service providers
Recovery strategy: active-active cluster (hot standby) or active-passive (warm standby) with documented failover procedure
Specifics: physical access lockdown and evidence preservation on suspected arson

Scenario 3: Cloud hyperscaler outage

Trigger: AWS, Azure, GCP or Microsoft 365 outage in the region used
Impact: depth depends on dependency — from partial (email briefly down) to total (full SaaS dependency)
Immediate measures: check provider status page, own status communication, activate workarounds (e.g. local tools, phone instead of Teams)
Recovery strategy: multi-region (within provider), multi-cloud (across providers) — cost/benefit trade-off documented
Specifics: check cloud provider SLA, document damages claims

Cross-reference: NIS2 for cloud providers and SaaS.

Scenario 4: Insider attack or unauthorised access

Trigger: malicious employee, privileged-account compromise, unauthorised access
Impact: data manipulation, data exfiltration, sabotage
Immediate measures: account lockout, engage forensics, involve works council (if employee), engage law enforcement
Recovery strategy: restore manipulated data from integrity-preserved backups, full audit-trail analysis
Specifics: labour-law measures, co-determination, evidence preservation with employee data protection (BDSG)

Scenario 5: Natural catastrophe or force majeure

Trigger: flood, earthquake, storm, pandemic, prolonged power outage
Impact: regional outages, possibly personnel loss, physical damage
Immediate measures: personnel safety first, site evacuation if necessary, activate emergency workplaces
Recovery strategy: geographically distributed DC, cloud failover, home-office capability, alternative sites
Specifics: early insurance claims, authority communications (city/state crisis team)

4. RTO/RPO per service class

RTO (Recovery Time Objective) is the maximum acceptable recovery duration. RPO (Recovery Point Objective) is the maximum acceptable data loss (time between last backup and incident).

Tier	Description	RTO	RPO	Examples
Tier 1	Business-critical	≤ 4 h	≤ 15 min	Core ERP, control systems, online shop, patient record system
Tier 2	Important	≤ 24 h	≤ 4 h	CRM, email, accounting, HR system
Tier 3	Standard	≤ 72 h	≤ 24 h	DMS, intranet, internal reporting tools
Tier 4	Non-critical	≤ 1 week	≤ 1 week	Archives, historical data, test systems

Service-level assignment happens in the business impact analysis (BIA) ahead of the DR plan. The BIA quantifies: what does downtime per hour cost us? Which business processes depend on it?

Technical implications per tier

Tier 1: synchronous replication, active-active cluster, hot standby — expensive but necessary for availability-critical systems
Tier 2: asynchronous replication, warm standby, fast restore from hot backup
Tier 3: daily backups (snapshot/cloud), cold restore acceptable
Tier 4: weekly backup, tape or archive tier in cloud

5. Quarterly tests and annual full scenario

Tests are the most important effectiveness control. Without documented tests the DR plan is worthless in an audit.

Quarterly partial tests

Quarter	Test type	Scope
Q1	Backup-restore test	Restore 5 randomly selected systems from Tier 1 + 2, validate integrity
Q2	Failover test	Failover a Tier-1 application to secondary system, measure RTO
Q3	Communications test	Test alerting chain and crisis-team reachability (unannounced)
Q4	Tabletop exercise	Crisis team works a scenario (e.g. ransomware), practising decision paths

Annual full scenario

Realistic scenario (e.g. total DC outage, ransomware with data exfiltration)
Full activation of crisis team and recovery team
Simulation of supervisory communications and media inquiries
At least 4 hours of exercise time, ideally multiple days over a weekend
External observation (auditor, insurer, advisor)
Minutes with findings, lessons learned, corrective-action plan

Test documentation

Per test: date, participants, scenario, sequence, findings, measured RTO/RPO values, corrective actions with deadlines and owners.

6. Ransomware: the most important special scenario

Ransomware has been the top threat scenario in BSI situation reports for years. The DR plan must provide for specific mechanisms:

Immutable backups: Veeam Hardened Repository, S3 Object Lock, Azure Immutable Blobs — non-infectable by active malware
Backup isolation: backup infrastructure in a separate AD tier, no default domain trust
Air-gap backups: regularly taken offline copies (tape, external HDD in safe)
Recovery hardware on standby: clean systems for restart after forensic clearance
Forensic processes: document Indicators of Compromise (IoC), identify compromised backups
Ransom policy: management position predefined; ENISA recommendation: no payment
Crisis communications: BSI 24-hour notification, where relevant data-protection supervisor (GDPR Art. 33 in case of exfiltration)

Details: Ransomware Recovery 72h Plan.

7. Documentation and audit evidence

In a BSI audit under Section 31 BSIG the following DR-plan evidence is expected:

Current DR plan (version < 12 months old)
Business impact analysis with service classification
RTO/RPO matrix per service
Test minutes for the last 12 months (quarterly tests + annual exercise)
Backup concept with immutable component
Crisis-team list current, with 24/7 reachability
Communication templates for supervisor, customers, media
Lessons learned from actual incidents in the last 24 months
Management approval of the current version

Most common audit findings: outdated plan, paper-only tests, lack of currency after personnel changes, missing immutable backup component, no 24/7 reachability of the crisis team. BSI treats these as "structural deficiencies" which can be sanctioned under Section 38 BSIG with fines up to EUR 10 million / 2% group turnover.

Frequently Asked Questions

What does NIS2 require for the disaster recovery plan?

Article 21(2)(c) NIS2 Directive and Section 30(2) no. 3 BSIG require measures for "business continuity, such as backup management and disaster recovery, and crisis management". A documented disaster recovery plan with RTO/RPO is mandatory.

What is the difference between DR plan and BCM plan?

BCM (Business Continuity Management) is the higher-level business-continuity view: which critical business processes to recover at which priority. DR (Disaster Recovery) is the technical implementation: how systems, data and infrastructure are concretely restored. BCM defines the "what", DR the "how".

Which RTO/RPO values are appropriate?

Per service class: Tier 1 (business-critical) RTO ≤ 4h / RPO ≤ 15min, Tier 2 (important) RTO ≤ 24h / RPO ≤ 4h, Tier 3 (standard) RTO ≤ 72h / RPO ≤ 24h, Tier 4 (non-critical) RTO ≤ 1 week / RPO ≤ 1 week. Concrete values emerge from the business impact analysis per process.

How often must the DR plan be tested?