Blog

NIS2 Article 21.2 c:

Continuity is the emergency generator you must test.

I have a particular connection to emergency generators. Not because they're charming, but because they're reliable. They make no fuss in everyday life. They stand silently. But if the power fails, you don't want to find out they only existed on the purchase order. You want to know they start. That the fuel is sufficient. That someone can operate them.

To me, Article 21.2 c in NIS2 is just that. An emergency generator for business operations. It concerns operational continuity, backup, disaster recovery, and crisis management. In other words: ensuring critical services can continue or be restored quickly when things go wrong.

Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

What NIS2 really means

Article 21.1 sets the framework. Measures must be appropriate and proportionate. They should address risks in networks and information systems and reduce the impact of incidents. Within that framework, Article 21.2 lists ten areas. Point c is business continuity, explicitly covering backup, disaster management, and crisis handling (European Union, 2022).

Swedish implementation: the Cybersecurity Act

In Sweden, the Cybersecurity Act (2025:1506) and the Cybersecurity Ordinance (2025:1507) came into force on 15 January 2026. This means NIS2 is no longer a future discussion. It is an actual compliance track in supervision and follow-up (Swedish Parliament, 2025a; Swedish Parliament, 2025b; Government, 2026).

An important fact: NIS2 is cyber-focused but continuity is cross-cutting

I want to be clear here. NIS2 is a cybersecurity directive. It is not an all-hazards regulation in the same sense as CER. But cyber incidents often cause outages that behave like any other crisis. Therefore, continuity becomes cross-cutting in practice. If a critical service fails, it matters less whether the cause was a vulnerability, a faulty update, or a supplier disappearing from view. The service must be restored.

What Article 21.2 c means in practice

I interpret 21.2 c as an expectation of demonstrable recovery. Not perfection. But a clear, actionable plan that has been tested. It involves four interconnected aspects, without creating a paper mountain.

First, operational continuity. This is how you decide which services must keep running, how long you can be without them, and what manual processes apply in the meantime. This part often reveals whether management truly understands their operation.

Next, backup. Backup is not just a file on a disk. Backup is a promise of restoration. That promise must be tested regularly. And you must know what's included: critical data, critical systems, and dependencies.

The third part is disaster recovery. This is how you get services running when something major happens. It can be anything from a ransomware attack to a significant outage. It requires clear priorities, access controls, and a plan that works even under stress.

The fourth part is crisis management. This is often misunderstood. Crisis management is not a press release. It's decision-making routes, points of contact, and communication that have been practised. This is also where NIS2 meets reality: people need to know who says what, to whom, and when.

The most common pitfall: a plan that's too clever

I often see continuity plans that are too complex. They look impressive on paper. But they fail when it counts. A rule of thumb: if the plan requires three people to be in the same place with perfect recall, it's a dream. In an incident, people are tired, someone is absent, and the supplier replies 'after lunch'. Therefore, the plan must be simple. It must withstand a bad day.

How 21.2 c connects with the rest of Article 21

Continuity ties into everything. Risk analysis and policies (21.2 a) determine what you prioritise. Incident management (21.2 b) decides how quickly you get on track. The supply chain (21.2 d) determines if you get insight and support in time. Vulnerability management and secure development (21.2 e) affect how often you end up needing recovery. And efficiency checks (21.2 f) show whether you can prove that all this works (European Union, 2022; ENISA, 2025).

Three simple but tough suggestions

I promise to stick to three points. They're easy to say. But they require discipline. And they align perfectly with Article 21.2 c.

· Test recovery against time.

· Prioritise services, not systems.

· Practise crisis as part of everyday life.

Testing recovery against time means measuring how long it actually takes to restore the most important things. Not what you hope. Prioritising services, not systems means managing according to what the business delivers. That's where the impact lies. Practising crisis as everyday means doing small exercises often. It builds muscle memory. And muscle memory is what saves an organisation when everything moves fast.

Final thoughts

Article 21.2 c is not a requirement to never have problems. It is a requirement to be able to recover. Continuity is the emergency generator. It doesn't bring glamour. It delivers operation. And in a digital world, operation is often the same as trust.