Using one ISO 22301 BCMS to satisfy DORA and NIS2

DORA and NIS2 approach business continuity from different starting points, but they converge on the same demand: prove you can keep operating and recover when disrupted. Rather than build separate continuity programmes for each, most organisations use one ISO 22301 BCMS as the framework and map its outputs to both regulations.

What each regulation asks for

• DORA, Article 11 requires financial entities to maintain an ICT business continuity policy, with recovery objectives (RTO/RPO) derived from a business impact analysis, and to test their continuity and response plans. Article 12 adds backup and restoration procedures that are actually tested.
• NIS2, Article 21(2)(c) requires business continuity, such as backup management and disaster recovery, and crisis management as part of the cybersecurity risk-management measures essential and important entities must adopt.

Different wording, same substance: a BIA-driven continuity capability that is documented, owned and tested.

Why ISO 22301 fits both

ISO 22301 is the international standard for exactly this. Its clause 8 produces the artefacts both regulations expect:

• the BIA and recovery objectives DORA Article 11 asks for,
• the recovery strategies and plans that underpin NIS2's continuity and crisis management,
• and the exercise programme that evidences the testing both regimes demand.

Because it's a single management system, you maintain one BIA, one set of dependencies, one exercise history, and map that evidence to each obligation rather than rebuilding it per regulation.

The common thread: tested recovery

The point all three frameworks share is that a plan you've never tested doesn't count. DORA asks you to test; NIS2 expects disaster recovery you can rely on; ISO 22301 makes the exercise programme a core requirement. Build the BCMS once, keep it current, and run the tests, and the question "can you prove you'd recover?" has the same answer for an ISO auditor, a DORA supervisor and a NIS2 authority.