Art. 21(2)(c)Last updated: May 2026

NIS2 BCP/DR Planner

Enter your critical systems with their current RTO and RPO. The tool compares them against NIS2 reference targets and shows exactly where gaps exist in your business continuity documentation.

Enter your critical systems and see whether your RTO/RPO targets and backup test frequency meet NIS2 Art. 21(2)(c) requirements.

System 1

System name

Criticality

Current RTO (hours) — target: ≤4h

Current RPO (hours) — target: ≤1h

Backup / restore is tested

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

NIS2 Article 21(2)(c): What is Required?

Article 21(2)(c) of the NIS2 Directive requires covered entities to maintain business continuity plans (BCPs) and disaster recovery plans (DRPs) with defined recovery objectives. Plans must be regularly tested.

Specifically, RTO (Recovery Time Objective) and RPO (Recovery Point Objective) must be documented for all critical systems and validated through regular restore tests.

RTO/RPO Reference Values for NIS2 Practice

NIS2 does not prescribe exact RTO/RPO figures, as these depend on sector and service criticality. The following reference values are based on ENISA recommendations and common practice for in-scope entities:

System criticality	RTO target	RPO target	Backup test frequency
Critical	≤4h	≤1h	Monthly
Important	≤8h	≤4h	Quarterly
Standard	≤24h	≤8h	Annually