1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall test their business continuity plans referred to in Article 39 of this Regulation, including the scenarios referred to in that Article, at least once every year for the back-up and restore procedures, or upon every major change of the business continuity plan.
2. The testing of business continuity plans referred to in paragraph 1 shall demonstrate that the financial entities referred to in that paragraph are able to sustain the viability of their businesses until critical operations are re-established and identify any deficiencies in those plans.
3. The financial entities referred to in paragraph 1 shall document the results of the testing of business continuity plans and any identified deficiencies resulting from that testing shall be analysed, addressed, and reported to the management body.
The organization should regularly, at least annually, test and review its information security continuity plans to ensure that they are valid and effective in adverse situations.
Testing of continuity plans shall involve, as appropriate, stakeholders critical to each plan. The organisation should identify and document the necessary contacts with suppliers and partners.
In addition, the adequacy of continuity plans and associated management mechanisms should be reassessed in the event of significant changes in operations.
Continuity requirements for ICT services are derived from continuity plans that are created for core processes (e.g. related to the provision of organization's products and services) and the recovery time goals included in them.
Organization must identify what recovery times and recovery points different ICT services must be able to achieve, taking into account the defined recovery goals for related processes, and ensure the ability to achieve them.
The planning must take into account in particular:
The organization regularly develops its continuity plans by analyzing the testing of the plans, training and their actual use in real situations.