DORA Art.11: ICT Business Continuity Policy, RTO/RPO, and Annual Testing for Financial Services — Developer Guide 2026
Post #504 in the sota.io EU Cyber Compliance Series
DORA Chapter II defines a six-domain ICT risk management framework. Article 11 sits at the intersection of the protection domain (Art.9) and the backup/recovery domain (Art.12), governing the strategic policy layer that bridges them: your ICT Business Continuity Policy.
This is the distinction that most NCA audit findings turn on. Financial entities routinely have Art.12-compliant backup procedures and Art.5-compliant ICT risk management frameworks — but no documented Art.11 BCP policy that sets the governance context for when backups are activated, who decides, at what recovery objective, and how the decision is communicated. The policy and the procedures are separate obligations.
This guide covers all six Art.11 obligations, explains the BCP hierarchy within DORA's Chapter II architecture, provides Python implementations for BCP activation logic and RTO/RPO tracking, maps to NIS2 Art.21(2)(c) for dual-regulated entities, and closes with a 20-item NCA audit checklist.
1. Who Is Subject to DORA Art.11
DORA Art.2(1) scope: approximately 22,000 EU financial entities, same as all Chapter II articles:
| Category | Specific Examples |
|---|---|
| Credit institutions | Banks, savings banks, cooperative banks |
| Investment firms | Brokers, asset managers, portfolio managers |
| Insurance/reinsurance undertakings | All Art.2(1)(c) entities |
| Payment institutions | PSPs, e-money issuers |
| Crypto-asset service providers | CASPs under MiCA |
| Central counterparties | CCPs, central securities depositories |
| ICT third-party service providers | Cloud, SaaS providers in scope via Art.30 |
Proportionality (Art.16): Microenterprises (< 10 employees, < €2M turnover/balance sheet) apply a simplified ICT risk management framework. Art.11 obligations apply in principle but the depth of documentation and testing frequency may be reduced under the simplified framework. Art.11(5) annual testing applies to all entities regardless of size.
2. The DORA Chapter II BCP Hierarchy
Understanding where Art.11 fits prevents the most common compliance gap:
Art.5: ICT Risk Management Framework (top-level governance)
└── Art.6: ICT Risk Tolerance Statement
└── Art.7: ICT Systems Inventory + Classification
└── Art.8: Risk Identification + Assessment
└── Art.9: ICT Protection Policies (security controls)
└── Art.11: ICT Business Continuity Policy ← YOU ARE HERE
└── Art.12: ICT Backup Operations (procedures)
└── Art.13: Post-Incident Review (learning)
└── Art.14: Communication Strategy (comms)
Art.11 is the strategic layer; Art.12 is the operational layer.
Art.11 answers: When do we activate recovery? Who decides? What recovery objectives must we meet? How do we test that we can meet them?
Art.12 answers: What backup copies exist? Where are they stored? How are they restored? Are they segregated?
An entity that has both Art.12-compliant backup procedures and Art.11-compliant governance has closed the Chapter II resilience loop. An entity with only Art.12 procedures has operational capability without strategic governance — and will fail an Art.11 audit finding.
3. Art.11(1): The ICT Business Continuity Policy Mandate
Financial entities shall have in place a sound, comprehensive and well-documented ICT business continuity policy, which shall be implemented through dedicated arrangements, plans, procedures and mechanisms aiming to ensure the continuity of financial entities' critical or important functions. — DORA Art.11(1)
The four mandatory characteristics: sound (technically justified), comprehensive (all critical/important functions), well-documented (NCA-auditable), and implemented through dedicated arrangements (not just described but operationally embedded).
What "Critical or Important Functions" Means
Art.11 is explicitly scoped to critical or important functions — the same terminology used in Art.4(22) (definition) and Art.28 (third-party risk). The EBA ITS on criticality assessment criteria apply:
| Function Tier | Characterisation | BCP Requirement |
|---|---|---|
| Critical | Failure directly threatens financial stability or client assets | Mandatory Art.11 coverage, lowest RTO/RPO |
| Important | Significant operational or reputational impact | Mandatory Art.11 coverage, tiered RTO/RPO |
| Standard | Routine operations, not client-facing | Not required by Art.11, good practice |
| Non-core | Administrative, ancillary | Out of Art.11 scope |
Practical identification method: Functions are critical/important if their disruption would trigger Art.19 reporting obligations (major ICT incident under Art.18 classification) or breach the entity's Art.6 risk tolerance statement.
Mandatory Policy Components
Art.11(1) combined with the ESA Joint Guidelines on ICT Business Continuity specifies these minimum policy components:
| Component | Minimum Content |
|---|---|
| Scope statement | Which functions, systems, and entities are covered |
| Activation criteria | The specific triggers that invoke the BCP |
| Recovery objectives | RTO and RPO per function category |
| Roles and responsibilities | Named roles for BCP activation, decision authority, escalation |
| Communication protocol | Internal escalation and external notification chains |
| Coordination with Art.28 TPPs | How third-party continuity aligns with internal BCP |
| Testing schedule | Annual testing cadence per Art.11(5) |
| Review and update cycle | When the policy is reviewed (at minimum post-test, post-incident) |
4. Art.11(2): Business Continuity Plans
Art.11(2) distinguishes the policy (strategic governance document) from the plans (operational response documents):
Financial entities shall implement ICT business continuity plans that address all relevant ICT assets and services and shall at minimum cover the scenarios referred to in Art.11(3).
The key operational difference:
| Artifact | Purpose | Audience | Review Frequency |
|---|---|---|---|
| BCP Policy (Art.11(1)) | Sets objectives, criteria, roles — "the what and why" | Board, senior management, NCAs | Annual + post-major-incident |
| Business Continuity Plans (Art.11(2)) | Step-by-step activation procedures — "the how" | ICT teams, incident response, operations | Quarterly review + after each test |
| Backup Procedures (Art.12) | Specific backup/restore runbooks | ICT operations, DevOps | Continuous (operational) |
Plan Scope Requirements
Art.11(2) requires plans to address all relevant ICT assets and services — not just production systems. This includes:
- Core banking / trading systems
- Authentication and identity services
- Logging and monitoring infrastructure (you cannot audit your recovery without them)
- Third-party API dependencies (Art.28 mapped)
- Communication systems (email, messaging, incident coordination tools)
- Data management systems (databases, data warehouses)
5. Art.11(3): Activation Criteria, Roles, and Communication
Art.11(3) specifies the minimum content for each BCP plan:
Business continuity plans shall, at minimum, include: criteria specifying the circumstances when the plan shall be activated; the relevant actors, their responsibilities and the means of communication; the recovery time and recovery point objectives.
Activation Criteria Design
Activation criteria must be objective and pre-defined, not subjective management judgment:
| Trigger Type | Example Criterion | Activation Threshold |
|---|---|---|
| Service availability | Core banking system unavailable | > 30 minutes unscheduled downtime |
| Data integrity | Database inconsistency detected | Any integrity violation affecting client accounts |
| Security incident | Ransomware or destructive malware confirmed | Upon CSIRT confirmation of containment failure |
| Third-party failure | Critical SaaS provider unreachable | > 60 minutes + no ETA from provider |
| Geographic | Primary data centre unavailable | Full site loss or network partition |
| Regulatory trigger | NCAs invoke emergency powers | Upon receipt of regulatory instruction |
Critical implementation note: Activation criteria must be binary or metric-based, not phrased as "significant disruption" or "major impact" — those require further interpretation under stress and will slow activation. Design criteria that a duty manager can evaluate in under two minutes at 3am.
Roles and Responsibilities Matrix
Art.11(3) requires pre-defined roles. A minimal RACI for DORA Art.11 activation:
| Role | DORA Function | Authority |
|---|---|---|
| Business Continuity Manager | Overall BCP activation decision | Accountable |
| CTO / Head of ICT | Technical activation, DR orchestration | Responsible |
| Chief Risk Officer | Risk tolerance breach assessment | Consulted |
| CISO | Security incident confirmation, threat scope | Consulted |
| Communications Lead | External notifications (Art.14), NCA contacts | Responsible |
| Legal/Compliance | Art.19 reporting trigger assessment | Consulted |
| Senior Management / Board | For critical function declarations > 4h | Informed |
Communication Protocol
The Art.14 communication strategy and Art.11(3) communication requirements overlap. Practical separation:
- Art.11(3): Internal crisis communication during BCP activation
- Art.14: External communication to clients, counterparties, and regulators
Both must be documented and pre-tested.
6. Art.11(4): Recovery Time and Recovery Point Objectives
Recovery objectives are the most technically specific Art.11 requirement. DORA Art.11(4) requires:
Financial entities shall define recovery time objectives and recovery point objectives for ICT services supporting critical or important functions, taking into account the nature, scale and complexity of the entity's operations.
RTO and RPO Architecture
| Concept | Definition | Measurement | Audit Evidence |
|---|---|---|---|
| Recovery Time Objective (RTO) | Maximum acceptable downtime before function must be restored | Clock time from incident to service resumption | Test results, incident post-mortems |
| Recovery Point Objective (RPO) | Maximum acceptable data loss, expressed as time | Time from last backup to point of failure | Backup frequency logs, restore test data |
| Recovery Time Actual (RTA) | Observed recovery time in tests/incidents | Measured during Art.11(5) tests | Test logs, incident timelines |
| Recovery Point Actual (RPA) | Actual data loss in restore scenarios | Measured during restore testing | Data reconciliation reports |
DORA-Aligned RTO/RPO Tiering
The ESA Joint Guidelines do not mandate specific RTO/RPO values — they must be risk-based. Typical tiering aligned with Art.18 materiality thresholds:
| Function Tier | RTO Target | RPO Target | Rationale |
|---|---|---|---|
| Critical (Art.4(22)) | < 4 hours | < 1 hour | Art.19 reporting triggers at 4h downtime |
| Important | < 8 hours | < 4 hours | Within business day recovery |
| Standard | < 24 hours | < 8 hours | Next-business-day recovery |
| Non-critical | < 72 hours | < 24 hours | Best-effort recovery |
The 4-hour RTO threshold is particularly significant: DORA Art.19(4)(a) requires initial major ICT incident notification within 4 hours of classification. If your RTO for critical functions exceeds 4 hours, you will be filing Art.19 notifications before recovery — which is permissible but increases regulatory visibility and NCA scrutiny.
RTO/RPO Documentation Requirements
For each critical/important function, document:
# Art.11 RTO/RPO Record — minimum required fields
function_id: "F-001"
function_name: "Core Payment Processing"
classification: "Critical"
rto_target: "PT2H" # ISO 8601 duration
rpo_target: "PT30M" # ISO 8601 duration
justification: "Art.19 notification risk + client settlement obligations"
supporting_art12_controls:
- "Real-time database replication to DR site"
- "30-minute RPO backup schedule"
- "DR site warm-standby with 90-second failover"
last_tested: "2026-01-15"
rta_achieved: "PT1H47M" # Recovery Time Actual from last test
rpa_achieved: "PT18M" # Recovery Point Actual from last test
next_test_due: "2027-01-15"
owner: "Head of Payment Infrastructure"
7. Art.11(5): Annual Testing Obligation
Financial entities shall test their ICT business continuity plans at least yearly. — DORA Art.11(5)
This is an unconditional annual minimum — not "when practicable" or "based on risk." Annual testing is mandatory regardless of entity size (including microenterprises under the Art.16 simplified framework).
Testing Methodology Requirements
Art.11(5) does not specify a particular testing methodology, but the ESA Joint Guidelines on advanced testing (linked to Art.24-25) inform acceptable approaches:
| Test Type | Description | RTO/RPO Validation | Annual Frequency |
|---|---|---|---|
| Tabletop exercise | Walkthrough of BCP with key roles, no actual system activation | Partial (theoretical) | Minimum annually |
| Component test | Individual system failover without full BCP activation | Partial (component) | Quarterly (good practice) |
| Parallel test | Production and DR systems running simultaneously | Full validation | Annually (minimum) |
| Full failover test | Complete cutover to DR environment | Full validation + RTA/RPA measurement | Recommended annually for critical functions |
Regulatory expectation: For entities with critical functions (Art.4(22)), NCAs increasingly expect at least one full failover test per year rather than tabletop-only exercises. Tabletop alone is considered insufficient for "critical" tier.
Test Scope Requirements
Annual tests must cover:
- BCP activation procedure (does the trigger mechanism work?)
- Role notification and communication chain (can everyone be reached?)
- System failover to DR (does technical recovery work?)
- RTO verification (was the objective achieved?)
- RPO verification (how much data was lost?)
- Third-party coordination (do Art.28 TPPs respond per contractual SLAs?)
- NCA notification chain test (can you execute Art.19 reporting under stress?)
- Post-activation debrief (Art.11(6) documentation)
8. Art.11(6): Post-Test Documentation
After tests or in case of major ICT-related incidents, financial entities shall document the lessons learned and where necessary, implement improvements. — DORA Art.11(6)
Post-test documentation must include:
| Section | Required Content |
|---|---|
| Test metadata | Date, type, scope, participants, scenario |
| RTO/RPO results | Target vs. achieved for each tested function |
| Issues identified | Technical failures, role gaps, communication breakdowns |
| Corrective actions | Specific actions, owners, deadlines |
| Policy/plan updates | Changes to BCP policy or plans resulting from test findings |
| Sign-off | Management acknowledgment (evidence of board-level oversight) |
This documentation is primary NCA audit evidence. Auditors specifically look for evidence that corrective actions from prior tests were implemented — a pattern of repeated identical findings signals inadequate programme governance.
9. Art.11 vs. Art.12: The Distinction That Matters for NCA Audits
| Dimension | Art.11 (BCP Policy) | Art.12 (Backup Operations) |
|---|---|---|
| Type | Governance document | Operational procedures |
| Author | CISO/CRO with Board approval | ICT operations team |
| Audience | Management, NCAs, auditors | DevOps, infrastructure teams |
| Focus | When and why to activate recovery | How to execute backup and restore |
| RTO/RPO | Sets objectives | Implements the technical means to meet objectives |
| Testing | Validates the policy and activation process | Tests that backups can be restored |
| Failure mode | Policy gap (no governance) | Operational gap (backups fail) |
Common audit finding: Entity has Art.12-compliant backup procedures with tested restore capability, but no Art.11 BCP policy document. The operational capability exists but the governance framework is missing. NCA auditors classify this as a material Art.11 finding because the activation decision criteria, recovery objectives, and accountabilities are not formally established.
10. Python Implementation
DORABCPPolicy: Core BCP Governance Model
from dataclasses import dataclass, field
from datetime import datetime, timedelta
from enum import Enum
from typing import Optional
import logging
logger = logging.getLogger(__name__)
class FunctionTier(str, Enum):
CRITICAL = "critical"
IMPORTANT = "important"
STANDARD = "standard"
NON_CRITICAL = "non_critical"
class BCPActivationStatus(str, Enum):
DORMANT = "dormant"
MONITORING = "monitoring"
ACTIVATED = "activated"
RECOVERING = "recovering"
CLOSED = "closed"
@dataclass
class RTOObjective:
function_id: str
function_name: str
tier: FunctionTier
rto_target: timedelta
rpo_target: timedelta
rta_last_test: Optional[timedelta] = None
rpa_last_test: Optional[timedelta] = None
last_tested: Optional[datetime] = None
def test_due(self) -> bool:
if self.last_tested is None:
return True
return datetime.now() - self.last_tested > timedelta(days=365)
def rto_compliant(self) -> bool:
if self.rta_last_test is None:
return False # Untested = non-compliant
return self.rta_last_test <= self.rto_target
def rpo_compliant(self) -> bool:
if self.rpa_last_test is None:
return False
return self.rpa_last_test <= self.rpo_target
def compliance_summary(self) -> dict:
return {
"function_id": self.function_id,
"tier": self.tier.value,
"rto_target_hours": self.rto_target.total_seconds() / 3600,
"rpo_target_hours": self.rpo_target.total_seconds() / 3600,
"rto_compliant": self.rto_compliant(),
"rpo_compliant": self.rpo_compliant(),
"test_due": self.test_due(),
"last_tested": self.last_tested.isoformat() if self.last_tested else None,
}
@dataclass
class BCPActivationCriteria:
criterion_id: str
description: str
metric: str
threshold: str
function_tiers: list[FunctionTier]
auto_activatable: bool = False
def evaluate(self, observed_value: str) -> bool:
"""
Override this for metric-specific evaluation.
Base implementation: requires manual evaluation.
"""
logger.warning(
f"Criterion {self.criterion_id} requires manual evaluation: "
f"observed={observed_value}, threshold={self.threshold}"
)
return False
class DORABCPPolicy:
"""
DORA Art.11 ICT Business Continuity Policy governance model.
Tracks activation status, criteria, RTO/RPO objectives, and test compliance.
"""
def __init__(self, entity_name: str, entity_lei: str):
self.entity_name = entity_name
self.entity_lei = entity_lei
self.activation_status = BCPActivationStatus.DORMANT
self.activation_time: Optional[datetime] = None
self.activation_triggered_by: Optional[str] = None
self.objectives: list[RTOObjective] = []
self.activation_criteria: list[BCPActivationCriteria] = []
self._activation_log: list[dict] = []
def add_objective(self, objective: RTOObjective) -> None:
self.objectives.append(objective)
def add_criterion(self, criterion: BCPActivationCriteria) -> None:
self.activation_criteria.append(criterion)
def activate(self, trigger_criterion_id: str, triggered_by: str, notes: str = "") -> dict:
"""
Art.11(3): Activate BCP with documented trigger and responsible actor.
"""
if self.activation_status == BCPActivationStatus.ACTIVATED:
raise ValueError("BCP already activated — use update_status() to change state")
self.activation_status = BCPActivationStatus.ACTIVATED
self.activation_time = datetime.now()
self.activation_triggered_by = triggered_by
event = {
"event": "activation",
"timestamp": self.activation_time.isoformat(),
"trigger_criterion_id": trigger_criterion_id,
"triggered_by": triggered_by,
"notes": notes,
}
self._activation_log.append(event)
logger.critical(
f"BCP ACTIVATED — Entity: {self.entity_name} "
f"| Trigger: {trigger_criterion_id} | Actor: {triggered_by}"
)
return event
def record_test_result(
self,
function_id: str,
rta: timedelta,
rpa: timedelta,
test_date: datetime,
test_type: str,
) -> dict:
"""
Art.11(5)-(6): Record annual test result for RTO/RPO validation.
"""
obj = next((o for o in self.objectives if o.function_id == function_id), None)
if obj is None:
raise ValueError(f"No RTO objective registered for function {function_id}")
obj.rta_last_test = rta
obj.rpa_last_test = rpa
obj.last_tested = test_date
result = {
"function_id": function_id,
"test_date": test_date.isoformat(),
"test_type": test_type,
"rto_target": obj.rto_target.total_seconds(),
"rto_actual": rta.total_seconds(),
"rto_met": obj.rto_compliant(),
"rpo_target": obj.rpo_target.total_seconds(),
"rpo_actual": rpa.total_seconds(),
"rpo_met": obj.rpo_compliant(),
}
logger.info(f"Test result recorded: {result}")
return result
def compliance_report(self) -> dict:
"""
Art.11(5)-(6): NCA-ready compliance report with all objectives and test status.
"""
objectives_status = [o.compliance_summary() for o in self.objectives]
untested = [o for o in self.objectives if o.last_tested is None]
overdue = [o for o in self.objectives if o.test_due() and o.last_tested is not None]
return {
"entity": self.entity_name,
"entity_lei": self.entity_lei,
"report_generated": datetime.now().isoformat(),
"bcp_status": self.activation_status.value,
"total_objectives": len(self.objectives),
"rto_compliant_count": sum(1 for o in self.objectives if o.rto_compliant()),
"rpo_compliant_count": sum(1 for o in self.objectives if o.rpo_compliant()),
"untested_functions": [o.function_id for o in untested],
"test_overdue_functions": [o.function_id for o in overdue],
"objectives": objectives_status,
}
BCPActivationDecision: Structured Activation Workflow
from dataclasses import dataclass
from datetime import datetime
from typing import Optional
@dataclass
class BCPActivationDecision:
"""
DORA Art.11(3): Structured activation decision record.
Ensures activation criteria are evaluated, decision is documented,
and responsible actors are identified.
"""
decision_id: str
evaluating_role: str
incident_description: str
activation_criteria_met: list[str]
activation_decision: bool
decision_rationale: str
decision_time: datetime = None
escalation_required: bool = False
art19_reporting_triggered: bool = False
def __post_init__(self):
if self.decision_time is None:
self.decision_time = datetime.now()
def to_audit_record(self) -> dict:
return {
"decision_id": self.decision_id,
"decision_time": self.decision_time.isoformat(),
"evaluating_role": self.evaluating_role,
"incident_description": self.incident_description,
"criteria_met": self.activation_criteria_met,
"activated": self.activation_decision,
"rationale": self.decision_rationale,
"escalation_required": self.escalation_required,
"art19_reporting_triggered": self.art19_reporting_triggered,
"dora_article": "Art.11(3)",
}
# Usage example
decision = BCPActivationDecision(
decision_id="BCP-2026-001",
evaluating_role="Business Continuity Manager",
incident_description="Core payment processing database unavailable — 47 minutes elapsed",
activation_criteria_met=["F-AVAIL-01: >30min unscheduled downtime on critical function"],
activation_decision=True,
decision_rationale="RTO objective threshold breach imminent — activating DR failover",
art19_reporting_triggered=True, # 4h Art.19 clock now running
)
print(decision.to_audit_record())
BCPTestScheduler: Annual Testing Compliance Tracker
from datetime import datetime, timedelta
from typing import Optional
import json
class BCPTestScheduler:
"""
DORA Art.11(5): Track annual testing compliance across all functions.
Alerts when tests are due and records results for Art.11(6) documentation.
"""
def __init__(self, policy: DORABCPPolicy, test_interval_days: int = 365):
self.policy = policy
self.test_interval_days = test_interval_days
self._test_records: list[dict] = []
def functions_due_for_testing(self, warning_days: int = 30) -> list[dict]:
"""Returns functions where annual test is due within warning_days."""
due = []
for obj in self.policy.objectives:
if obj.last_tested is None:
due.append({
"function_id": obj.function_id,
"function_name": obj.function_name,
"status": "NEVER_TESTED",
"urgency": "IMMEDIATE",
})
else:
days_since = (datetime.now() - obj.last_tested).days
days_remaining = self.test_interval_days - days_since
if days_remaining <= warning_days:
due.append({
"function_id": obj.function_id,
"function_name": obj.function_name,
"last_tested": obj.last_tested.isoformat(),
"days_remaining": days_remaining,
"status": "OVERDUE" if days_remaining < 0 else "DUE_SOON",
"urgency": "IMMEDIATE" if days_remaining < 0 else "HIGH",
})
return due
def generate_test_plan(self) -> dict:
"""Generate annual BCP test plan for NCA submission."""
return {
"plan_date": datetime.now().isoformat(),
"entity": self.policy.entity_name,
"functions_in_scope": len(self.policy.objectives),
"critical_functions": [
o.function_id for o in self.policy.objectives
if o.tier == FunctionTier.CRITICAL
],
"test_schedule": self.functions_due_for_testing(warning_days=365),
"test_methodology": "Full failover for critical functions; parallel test for important",
"next_review": (datetime.now() + timedelta(days=90)).isoformat(),
}
11. Cross-Framework Mapping
| Requirement | DORA Art.11 | NIS2 Art.21(2)(c) | ISO 22301 | FFIEC BCP Guidance |
|---|---|---|---|---|
| BCP policy document | ✅ Mandatory | ✅ Business continuity | ✅ Clause 6.2 | ✅ Board-approved BCP |
| Activation criteria | ✅ Art.11(3) | Implied in Art.21(2)(c) | ✅ Clause 8.4 | ✅ Escalation thresholds |
| RTO/RPO | ✅ Art.11(4) | Recovery time implied | ✅ Clause 8.2.2 | ✅ MTPD/RTO/RPO |
| Annual testing | ✅ Art.11(5) | ✅ Art.21(2)(d) exercises | ✅ Clause 8.5 | ✅ Annual testing |
| Post-test documentation | ✅ Art.11(6) | ✅ Implied in Art.21 | ✅ Clause 9.1 | ✅ After-action reports |
| Third-party continuity | ✅ Art.28-30 link | ✅ Art.21(2)(d) supply chain | Clause 8.3 | ✅ Vendor BCP requirements |
NIS2 Art.21(2)(c) Dual-Compliance Note
For entities regulated under both DORA and NIS2 (e.g., cloud providers to financial entities, or financial entities that are NIS2 essential entities), the Art.11 BCP policy satisfies NIS2 Art.21(2)(c) if it explicitly covers:
- ICT business continuity (Art.11 primary)
- Backup management (Art.12 referenced)
- Disaster recovery (Art.11 + Art.12 combined)
- Crisis management (Art.14 communication strategy)
Document the dual-compliance mapping in the BCP policy's scope statement to simplify NCA and NIS2 authority audits.
12. Common Implementation Errors
| Error | Consequence | Fix |
|---|---|---|
| One document for BCP policy + backup procedures | Cannot demonstrate Art.11/Art.12 separation to auditors | Separate documents: BCP Policy (Art.11) + Backup Procedures (Art.12) |
| Generic ISO 22301 BCP without DORA Art.11 alignment | Missing activation criteria, RTO/RPO specificity required by Art.11(3)-(4) | Add DORA-specific sections: trigger criteria, Art.18-aligned RTO tiers |
| Tabletop-only annual test | NCAs for critical functions expect at least one failover test | Schedule one full failover test per year; use tabletop for supplemental coverage |
| RTO/RPO not updated after incidents | Art.11(6) requires lessons learned implementation | Add post-incident RTO/RPO review to incident closure checklist |
| No third-party continuity alignment | Art.28 TPP SLAs inconsistent with Art.11 RTO objectives | Cross-reference Art.28 contracts against Art.11 RTO table during contract review |
| Activation criteria too subjective | Slow or inconsistent BCP activation under stress | Rewrite criteria as binary thresholds (metric + threshold + timeframe) |
| BCP not tested for critical function subset | Annual test covers non-critical systems only | Ensure test plan explicitly includes all Art.4(22) critical functions |
13. DORA Art.11 Compliance Checklist (20 Items)
Use this checklist for self-assessment or NCA audit preparation:
Policy Documentation (Art.11(1))
- Documented ICT Business Continuity Policy exists as a standalone board-approved document
- Policy scope explicitly covers all critical and important functions per Art.4(22)
- Policy references the ICT Risk Management Framework per Art.5
- Policy is separate from (but references) Art.12 backup and restore procedures
Business Continuity Plans (Art.11(2))
- BCP plans exist for each critical/important function
- Plans cover all ICT assets and services supporting those functions
- Plans include Art.28 third-party dependency mapping
Activation Criteria and Roles (Art.11(3))
- Activation criteria are documented, binary/metric-based, and function-specific
- Decision authority roles are named (not generic titles only)
- Communication protocol (internal crisis + external Art.14 notification) is documented
- Escalation chain to senior management/board is defined
Recovery Objectives (Art.11(4))
- RTO and RPO defined per function tier (critical/important/standard)
- RTO for critical functions is ≤ 4 hours (Art.19 reporting threshold aligned)
- RTO/RPO targets are justified by risk assessment, not set arbitrarily
- Art.12 backup frequency and DR capability are sufficient to meet RPO targets
Annual Testing (Art.11(5))
- Annual BCP test has been conducted in the past 12 months
- At least one full failover test conducted for critical functions this year
- Test included role activation, communication chain, and Art.19 notification drill
Post-Test Documentation (Art.11(6))
- Test results documented with RTA/RPA actuals vs. targets
- Corrective actions from most recent test have defined owners and deadlines
- Evidence exists that prior year's corrective actions were implemented
- Post-test report has been reviewed and signed off by management
See Also
- DORA Art.5-9: ICT Risk Management Framework — The strategic framework within which Art.11 sits
- DORA Art.12: ICT Backup Policies and Restoration Procedures — The operational layer that Art.11 policy governs
- DORA Art.13: Post-Incident Review and Learning — How lessons from incidents feed back into BCP improvements
- DORA Art.14: Communication Strategy and Crisis Plans — The external communication dimension required alongside Art.11(3)
- DORA Art.17-18: ICT Incident Management and Classification — Art.18 classification thresholds align with Art.11 RTO design
- DORA Art.24-25: Digital Operational Resilience Testing Programme — Advanced testing requirements that go beyond Art.11(5) annual BCP tests