DORA Business Continuity and Disaster Recovery: Articles 11-12 Guide for 2026
Practical 2026 guide to DORA Articles 11 and 12 BCDR: ICT continuity policy, backup, restoration, RTO and RPO, testing, suppliers and supervisory evidence.
In this article ↓
- DORA BCDR in one table
- What Article 11 requires
- What Article 12 requires
- Where BCDR sits in DORA
- Critical or important functions
- Evidence checklist
- Testing scenarios
- Incident reporting connection
- Third-party BCDR
- Microenterprises and proportionality
- Common mistakes
- 90-day BCDR cleanup plan
- FAQ
- How does DORA BCDR differ from traditional BCDR?
- Does every financial entity need TLPT?
- How often should BCDR be tested?
- Is ISO 27001 enough for DORA BCDR?
- Related reading
- Primary sources
Last reviewed: 29 April 2026
DORA business continuity and disaster recovery is not only an IT recovery topic.
Under DORA, BCDR is part of the financial entity's digital operational resilience framework. It should connect to:
- critical or important functions;
- ICT risk management;
- incident response;
- resilience testing;
- ICT third-party risk;
- management-body oversight.
In 2026, the supervisory question is simple:
Can the financial entity prove that critical or important services can be restored, not just that a continuity policy exists?
DORA BCDR in one table
| DORA area | What it means for BCDR | Evidence to maintain |
|---|---|---|
| Article 11 | ICT business continuity policy, response and recovery procedures | Approved BCP, crisis procedures, recovery playbooks |
| Article 11 | Plans tested at least yearly and after material changes | Test calendar, scenario records, after-action reports |
| Article 12 | Backup policies and procedures | Backup scope, retention, segregation and protection evidence |
| Article 12 | Restoration and recovery procedures and methods | Restore test reports, RTO/RPO measurements, integrity checks |
| Article 12 | Redundant ICT capacities and secondary site where applicable | Architecture evidence, failover results, site assumptions |
| Article 25 | Digital operational resilience testing programme | Risk-based test plan, results and remediation tracker |
| Article 26 | TLPT for entities identified by competent authorities | TLPT scope, report and remediation where applicable |
| Articles 17-19 | Incident management and reporting | Incident records, classification logs, reporting evidence |
| Article 28-30 | ICT third-party risk and contracts | Supplier resilience evidence, Article 30 clauses, exit plans |
What Article 11 requires
Article 11 focuses on response and recovery. The financial entity must have an ICT business continuity policy as part of the overall business continuity policy. The policy should cover the continuity of critical or important functions and the procedures for response, recovery and restoration.
| Article 11 topic | Practical implementation |
|---|---|
| ICT business continuity policy | Scope, roles, critical functions, activation criteria and review cadence |
| Response procedures | Containment, escalation, crisis decision-making and communications |
| Recovery procedures | Service restoration sequence and dependencies |
| Crisis communication | Internal, customer, provider, authority and management communication paths |
| Testing | Annual tests, tests after material changes and tests after significant incidents |
| Lessons learned | Findings, owners, remediation and management reporting |
The common gap is that the BCP exists but has never been tested against a realistic ICT disruption involving technology, operations, compliance and a critical provider.
What Article 12 requires
Article 12 focuses on backup, restoration and recovery. The entity needs backup policies and procedures, restoration and recovery procedures and methods, and appropriate ICT capacities to meet business needs.
| Article 12 topic | Evidence |
|---|---|
| Backup scope | Which systems and data are backed up and why |
| Backup frequency | Frequency aligned to criticality and data sensitivity |
| Retention | Retention schedule and deletion/expiry logic |
| Segregation | Logical or physical separation from source systems |
| Integrity | Backup integrity and restoration validation |
| RTO/RPO | Recovery time and recovery point objectives by service |
| Secondary site / capacity | Redundancy and geographic assumptions where applicable |
The test is not "did the backup run?"
The test is:
Can the service be restored within the required objective and with data integrity intact?
Where BCDR sits in DORA
BCDR sits across several DORA pillars:
| DORA pillar | BCDR connection |
|---|---|
| ICT risk management | Defines critical functions, recovery objectives and control ownership |
| Incident management | Activates response, escalation and reporting |
| Resilience testing | Proves restoration and service-chain resilience |
| ICT third-party risk | Extends continuity requirements to outsourced services |
| Management-body oversight | Ensures risks, failures and remediation are visible |
This is why BCDR should not be maintained as a standalone IT document. It should be part of the ICT risk operating model.
Critical or important functions
DORA BCDR should start with critical or important functions, not with a generic server list.
| Mapping layer | Example question |
|---|---|
| Business service | Which regulated service would create material harm if unavailable? |
| Critical or important function | Which function supports that service? |
| ICT asset | Which systems, databases, APIs and integrations support the function? |
| Data dependency | What data must be available, accurate and restorable? |
| Third-party dependency | Which providers are required to operate or recover the function? |
| Recovery objective | What RTO and RPO are realistic and tested? |
For any critical or important function, the entity should be able to trace the chain:
- business impact analysis;
- asset inventory;
- supplier dependency;
- recovery plan;
- test result;
- management report.
Evidence checklist
| Evidence item | What good looks like |
|---|---|
| BIA | Critical or important functions identified and reviewed |
| BCP | Version-controlled, approved and tied to ICT risk |
| DR runbook | Step-by-step recovery procedure for key services |
| RTO/RPO register | Objectives documented and tested |
| Restore test report | Actual restoration evidence, not just backup success |
| Scenario test record | Severe-but-plausible scenario, decisions and gaps |
| Supplier resilience evidence | Critical provider recovery and incident support validated |
| Remediation tracker | Findings assigned, dated and closed |
| Board report | Material BCDR risks and failed assumptions visible |
Testing scenarios
DORA testing should be risk-based and proportionate. For BCDR, the best scenarios are service-chain scenarios.
| Scenario | What it tests |
|---|---|
| Cloud region outage | Failover, provider escalation, service restoration |
| Core payment processor disruption | Supplier dependency, customer impact, workaround |
| Ransomware affecting operational systems | Backup integrity, segregation and restoration sequence |
| Database corruption | RPO, data integrity and reconciliation |
| Identity provider outage | Access dependency and emergency access process |
| Critical SaaS provider breach | Third-party incident intake and continuity workaround |
| Payment API degradation | Monitoring, escalation and customer communication |
Each scenario should produce findings, owners and retest dates. A tabletop without actions is weak evidence.
Incident reporting connection
BCDR and incident reporting should be connected. A disruption that activates continuity or recovery procedures may also require DORA incident classification.
| BCDR event | Incident reporting implication |
|---|---|
| Critical service unavailable | Assess major ICT-related incident criteria |
| Provider outage | Capture third-party facts and impact |
| Recovery objective missed | Record impact and management escalation |
| Data integrity affected | Assess data-loss classification criteria |
| Customer impact material | Include client/counterparty impact in classification |
For major ICT-related incidents, the current DORA technical standards use staged reporting:
- initial notification within 4 hours after classification as major and no later than 24 hours after detection or awareness;
- intermediate report no later than 72 hours from the initial notification;
- final report no later than 1 month from the latest intermediate report.
See DORA Incident Reporting 2026 for the detailed timeline.
Third-party BCDR
Outsourced ICT services must be part of BCDR planning. A financial entity cannot show resilience if a critical provider is absent from tests, contracts and exit assumptions.
| Third-party BCDR control | Evidence |
|---|---|
| Criticality assessment | Provider linked to critical or important function |
| Contractual support | Incident, recovery, audit and assistance clauses |
| Recovery commitments | Service levels, RTO/RPO support and continuity obligations |
| Subcontractor visibility | Material subcontractors and notification process |
| Test participation | Provider included in exercises where relevant |
| Exit planning | Transition plan and fallback options |
| Register of Information | Provider arrangement recorded and maintained |
The Register of Information should not be separate from BCDR. It should help identify which providers support critical functions and what recovery assumptions depend on them.
Microenterprises and proportionality
Proportionality changes depth, not the need for resilience. Smaller entities may use lighter artefacts, but they still need credible continuity, recovery and evidence.
| Area | Smaller entity | Larger/complex entity |
|---|---|---|
| BIA | Short list of critical services and dependencies | Formal BIA across business lines |
| BCP | Concise playbooks and contact paths | Detailed crisis management framework |
| Testing | One or two realistic annual scenarios | Multi-scenario testing programme |
| Supplier continuity | Critical providers only | Tiered third-party resilience framework |
| Reporting | Simple board/risk pack | Formal committee and board dashboards |
Common mistakes
| Mistake | Why it matters | Fix |
|---|---|---|
| Backup success treated as recovery proof | Backup completion does not prove service restoration | Run restore tests and record RTO/RPO |
| BIA not mapped to ICT assets | Recovery plans miss dependencies | Link functions, systems, data and providers |
| Suppliers excluded from scenarios | Real outages often start at providers | Include critical providers in tabletop or evidence review |
| TLPT treated as universal | Article 26 applies to selected entities | Keep TLPT separate from general testing programme |
| Incident reporting disconnected from BCDR | Continuity activation may require classification | Add classification checkpoint to BCDR activation |
| Board sees only test completion | Oversight misses failed assumptions | Report findings, decisions and remediation |
90-day BCDR cleanup plan
| Period | Work | Output |
|---|---|---|
| Days 1-15 | Map critical or important functions | Function-to-asset-to-provider map |
| Days 16-30 | Review BCP/DR runbooks | Updated playbooks and owner map |
| Days 31-45 | Validate backup and restore evidence | Restore test or remediation plan |
| Days 46-60 | Review critical provider continuity | Supplier resilience evidence and gaps |
| Days 61-75 | Run one service-chain scenario | Tabletop/test report with actions |
| Days 76-90 | Report to management body | BCDR risk pack and next-quarter plan |
FAQ
How does DORA BCDR differ from traditional BCDR?
DORA ties BCDR to ICT risk management, critical or important functions, incident reporting, resilience testing and ICT third-party risk. The evidence standard is operational: the entity must show plans were tested and findings were closed.
Does every financial entity need TLPT?
No. Threat-led penetration testing under Article 26 applies to financial entities identified by competent authorities under the relevant criteria. All entities need proportionate resilience testing, but TLPT is not universal.
For scope, roles and evidence, see DORA TLPT: 2026 Guide to Threat-Led Penetration Testing.
How often should BCDR be tested?
ICT business continuity and response/recovery plans should be tested at least yearly and after material changes or significant incidents. The test programme should be proportionate to the entity's risk profile.
Is ISO 27001 enough for DORA BCDR?
No. ISO 27001 can support the control environment, but DORA-specific evidence is still needed: critical-function mapping, DORA incident classification, Article 30 provider controls, Register of Information links and DORA resilience testing.
DORA by competent authority
DORA applies as EU law, but day-to-day reporting, evidence and supervisory dialogue runs through your National Competent Authority (NCA). Pick the jurisdiction-specific guide that matches your authorisation:
| Jurisdiction | DORA competent authority | Guide |
|---|---|---|
| Cyprus | CBC | Cyprus guide → |
| Denmark | Finanstilsynet | Denmark guide → |
| Estonia | Finantsinspektsioon | Estonia guide → |
| France | ACPR | France guide → |
| Germany | BaFin | Germany guide → |
| Ireland | Central Bank of Ireland | Ireland guide → |
| Italy | Banca d'Italia | Italy guide → |
| Latvia | Latvijas Banka | Latvia guide → |
| Lithuania | Lietuvos bankas | Lithuania guide → |
| Luxembourg | CSSF | Luxembourg guide → |
| Malta | MFSA | Malta guide → |
| Netherlands | DNB | Netherlands guide → |
| Spain | Banco de España | Spain guide → |
| Sweden | Finansinspektionen | Sweden guide → |
See the DORA National Competent Authorities selected-jurisdictions hub for the full directory and the difference between NCAs and the EU ESAs (EBA, ESMA, EIOPA).
Related reading
- DORA Incident Reporting 2026: Timeline, Classification and Evidence
- DORA Requirements in 2026: Operating Controls and Evidence Checklist
- DORA Register of Information: 2026 Guide for ICT Third-Party Risk
- DORA ICT Risk Register Template: 2026 Guide for Financial Entities
- 7 DORA Compliance Mistakes EU Financial Firms Still Need to Fix in 2026