5. Business Continuity and Disaster Recovery (IT Rebuild)

5. Business Continuity and Disaster Recovery (IT Rebuild)
The Digital Operational Resilience Act (DORA) mandates financial entities to establish and maintain robust Business Continuity and Disaster Recovery (BCDR) frameworks to ensure resilience in the face of ICT disruptions. These frameworks must focus on continuity of operations, disaster recovery processes, and rapid restoration of IT services to mitigate the impact of incidents on critical business functions.
This guide outlines the requirements, best practices, and implementation steps for achieving compliance with DORA's Business Continuity and IT Rebuild obligations while highlighting integration points with other key themes of DORA compliance.
SR
by Sylvan Ravinet
 
The StratOps way to accelerate DORA
This guide on Business Continuity and Disaster Recovery (IT Rebuild) can help you achieve DORA compliance. Faster. Part of my 12-capabilities cyber framework.
Before continuing, make sure you are subscribed to StratOps!
Get weekly insights in your email
My StratOps newsletter helps cybersecurity experts achieve more, faster.
Subscribe 🚀
It's Free! For now.
Have feedback? Connect with me on Linkedin
1. Overview of DORA Requirements for Business Continuity and Disaster Recovery
1.1. Key Objectives
DORA establishes requirements to ensure that financial entities can:
1
Minimize the impact of ICT disruptions on critical business functions
2
Restore ICT systems and services within acceptable timeframes
3
Ensure resilience through testing and continuous improvement
1.2. Regulatory Sources
DORA Regulation (EU 2022/2554):
Article 10: Requires financial entities to establish BCDR frameworks as part of their ICT risk management strategy
Article 11: Focuses on ICT-related incident response, continuity, and recovery plans
Article 13: Addresses resilience testing to ensure the effectiveness of BCDR strategies
Regulatory Technical Standards (RTS): specify recovery time objectives (RTOs), recovery point objectives (RPOs), and testing requirements
2. Key Components of a BCDR Framework Under DORA
2.1. Business Continuity Planning (BCP)
1
Identification of Critical Business Functions
Conduct a Business Impact Analysis (BIA) to identify:
Functions that are critical to operations and financial stability
Dependencies on ICT assets, third-party providers, and internal resources (see BIA Guide and ICT Asset Classification Guide)
2
Continuity Objectives
Define Recovery Time Objectives (RTOs):
The maximum allowable downtime for critical functions
Define Recovery Point Objectives (RPOs):
The maximum tolerable data loss (in terms of time) in the event of a disruption
3
Continuity Strategies
Establish redundancy for critical systems, including:
High availability solutions
Geographically distributed backups and data centers
Develop manual workarounds or alternative processes to maintain operations during ICT disruptions
2.2. Disaster Recovery (DR)
1
Disaster Recovery Plans (DRPs)
Create and document DR plans for restoring ICT systems and services after major disruptions
Key components of a DRP include:
Restoration priorities based on system criticality
Detailed recovery procedures for ICT systems, applications, and infrastructure
Escalation and communication protocols during recovery efforts
2
IT Rebuild
Prepare a system rebuild strategy to handle scenarios such as:
Complete loss of ICT infrastructure (e.g., due to ransomware or natural disasters)
Reinstallation and reconfiguration of critical applications and databases
Restoration of secure access for users (aligned with Operational Security Guide)
3
Data Backups and Restoration
Ensure compliance with data backup and restoration best practices (see Data Security Guide):
Regular backups for critical systems
Testing backup integrity and restoration processes
Securing backup data with encryption and access controls
2.3. Integration with Incident Response
Align BCDR plans with the organization's incident response framework:
1
1
Ensure BCDR plans are activated immediately upon detection of major ICT incidents
2
2
Define handoff points between incident response teams and recovery teams (see Incident Management Guide)
3. Testing and Validation of BCDR Plans
3.1. Resilience Testing
Conduct regular resilience testing to validate the effectiveness of BCDR plans:
Test failover mechanisms for critical systems
Simulate disaster scenarios to assess recovery times and manual workarounds
3.2 Threat-Led Penetration Testing (TLPT)
Include TLPT exercises to test recovery from advanced cyberattacks such as ransomware or data breaches (see Testing Guide)
3.3. Live Simulations and Drills
Organize BCDR drills involving all stakeholders, including:
ICT teams, business units, and third-party providers
Simulated disruptions (e.g., loss of primary data centers or critical applications)
3.4. Continuous Improvement
Use lessons learned from tests and real incidents to:
Update BCDR plans
Enhance recovery procedures and backup strategies
4. Roles and Responsibilities in BCDR
4.1. Management Body Oversight
The management body must:
Approve the BCDR framework
Ensure sufficient resources (human, technical, financial) for its implementation (see Governance Guide)
4.2. BCDR Teams
Assign dedicated teams for:
Business continuity planning and management
Disaster recovery execution and IT rebuild
4.3. Third-Party Providers
Ensure third-party providers have their own BCDR plans that align with your organization's objectives (see TP(S)RM Guide)
5. Challenges and Mitigation Strategies
5.1. Challenge: Complexity of Interdependencies
Mitigation: Use dependency mapping tools to document relationships between ICT assets, business functions, and third-party services
5.2. Challenge: Resource Limitations
Mitigation: Prioritize resources for the most critical systems and functions based on BIA results
5.3. Challenge: Evolving Threat Landscape
Mitigation: Regularly update BCDR plans to address new threats, including cyberattacks and climate-related risks
6. Integration with Other DORA Domains
6.1. ICT Asset Classification
ICT Asset Classification: Align recovery priorities with the classification of ICT assets (see ICT Asset Classification Guide)
6.2. Data Security and Backups
Data Security and Backups: Ensure backup and restoration processes are part of the BCDR framework (see Data Security Guide)
6.3. Incident Management
BCDR plans should integrate with incident management processes to ensure seamless activation during disruptions. (see Incident Management Guide)
6.4. Third-Party Dependencies
Include third-party service providers in testing and validation of BCDR plans (see TP(S)RM Guide)
7. Best Practices for DORA-Compliant BCDR Frameworks
Document & Communicate
Ensure BCDR plans are well-documented and communicated across all levels of the organization
Redundancy
Establish geographically dispersed backups and alternative sites for critical systems
Testing Frequency
Test BCDR plans at least annually or after major changes to ICT systems or dependencies
Stakeholder Engagement
Involve key stakeholders (internal and external) in all aspects of continuity and recovery planning
8. Key Takeaways
A robust Business Continuity and Disaster Recovery (BCDR) framework is essential for DORA compliance and operational resilience
Financial entities must:
Identify critical business functions and set RTOs and RPOs
Develop comprehensive continuity and disaster recovery plans
Test, validate, and continuously improve these plans through simulations and resilience testing
BCDR frameworks must integrate with incident response, ICT asset management, and third-party risk management to ensure a cohesive approach to resilience
Regulatory oversight requires transparency in BCDR planning, with competent authorities empowered to audit and review these frameworks
Links to Related DORA Compliance Themes
For a comprehensive understanding of DORA compliance, this guide aligns with the following related topics:
ICT Governance
ICT Risk Management Framework
Incident Response
Critical and Important Business Functions
Business Continuity
Resilience Testing and TLPT
Third-Party Risk Management
ICT asset Management
Crisis Communication
Threat management
Data security
Security Operations
For detailed implementation guidance, refer to DORA's RTS and ITS documentation and related guides within this compliance series.
The StratOps way to accelerate DORA
Sylvan Ravinet
CISO & Advisor | My StratOps newsletter helps cybersecurity experts achieve more, faster.

I hope this guide on Business Continuity and Disaster Recovery (IT Rebuild) will help your team achieve DORA compliance.
There's 11 more capabilities for you! 

Not yet a member? You might join StratOps newsletter today.
Have feedback? Connect with me on Linkedin