Business Continuity Plans Under ISO 22301 and NIS2 Article 21(c): A 2026 SME Guide
A practical guide to building an audit-ready business continuity plan for a UK or EU SME. Covers Business Impact Analysis, RTO/RPO targets, NIS2 Article 21(c) compliance, ISO 22301 clause mapping, and the four mistakes that destroy SME BCPs.
Business continuity planning is one of those compliance topics where the gap between what auditors expect and what most SMEs actually have is widest. This guide is for organisations that need an audit-ready BCP — under ISO 22301:2019, NIS2 Article 21(2)(c), FCA operational resilience, ISO 27001:2022 information-security continuity controls, or a customer-imposed contract clause — but do not have £15,000 of consultancy budget.
It covers the actual content of a working BCP, the Business Impact Analysis (BIA) that anchors it, the regulatory drivers, and the four mistakes that destroy SME continuity programmes.
Who needs a BCP under what regulation
Three regulatory regimes drive most BCP work in 2026:
- NIS2 Directive Article 21(2)(c) — essential and important entities operating in the EU must implement business continuity and crisis management measures. The UK NIS Regulations 2018 carry equivalent obligations for in-scope UK organisations.
- ISO 22301:2019 — the international standard for business continuity management systems. Customers of certified suppliers increasingly require alignment to ISO 22301 in procurement, even where formal certification is not contracted.
- ISO 27001:2022 Annex A.5.29 / A.5.30 / A.8.13 / A.8.14 — the information-security continuity controls. Required for any ISO 27001 certification.
Sector overlays add detail: FCA Operational Resilience PS21/3 and SYSC 15A for in-scope financial services, NHS DSPT continuity controls for NHS suppliers, DORA for ICT service providers to the financial sector.
The Business Impact Analysis (BIA) — anchor of the whole document
A BCP without a credible BIA is theatre. The BIA establishes which business processes are critical, the maximum tolerable downtime for each, the maximum tolerable data loss, and the resources each process depends on. Every later decision in the BCP traces back to it.
For a typical SME, the BIA covers:
- Critical processes — typically 3-7. The processes whose failure for more than a day would seriously hurt revenue, customer trust, or regulatory standing. Typically: order processing, customer support, payroll, financial reporting, regulatory submissions.
- Recovery Time Objective (RTO) — the maximum tolerable downtime per critical process. Express in concrete hours or days. "As soon as possible" is not an RTO. "Order processing: 4 hours; Email: 1 day; Reporting: 1 week" is.
- Recovery Point Objective (RPO) — the maximum tolerable data loss. "Customer records: 1 hour; financial data: zero; marketing analytics: 1 day".
- Upstream dependencies — for each critical process: people, systems, suppliers, data, premises. Single points of failure are usually visible at this step.
- Disruption scenarios — the plausible failure modes that would breach the RTO. Cyber, weather, supplier failure, key-person loss, pandemic-style.
RTO and RPO targets that survive a regulator review
Most SME BIAs initially produce targets that are aspirational rather than realistic. The pattern: RTOs of 1-2 hours for everything, RPOs of zero, with no recovery infrastructure that supports those targets. Auditors and regulators see through this immediately.
A BIA that survives review states the operational reality, flags where current arrangements cannot meet the stated target, and proposes the investment to close the gap. Three patterns work:
- Conservative achievable target — "RTO 24 hours; we run nightly off-site backups; tested twice a year; restore time validated at 18 hours". Honest and defensible.
- Aspirational target with explicit gap — "Target RTO 4 hours; current capability 24 hours; gap closed by Q3 2026 investment in active-passive cloud failover; cost £42,000". Honest, defensible, and shows direction.
- Tiered targets — different targets for different process tiers. Tier 1 (revenue-critical): 4h. Tier 2 (revenue-supporting): 24h. Tier 3 (back-office): 1 week. Right-sized to actual operational risk.
Continuity strategy — what you do when the system fails
Each critical process needs a documented continuity strategy. Four common patterns, in increasing cost:
- Manual workaround — the cheapest. The process runs on paper or spreadsheets while the system is recovered. Suitable for low-volume processes with low complexity. Document the workaround procedure in the BCP.
- Alternate supplier — for supplier-dependent processes. A second supplier on standby. Adds 5-15% to ongoing supplier cost.
- Warm standby — an alternate environment kept synchronised but not actively serving traffic. Activated within RTO when needed. Typical for business-critical SaaS workloads.
- Active-passive — both environments running, one serving traffic. Failover within minutes. Highest cost. Justified at higher revenue exposure.
The BCP states the chosen pattern per critical process and the activation procedure. Procedures should give immediate (0-4h), short-term (4-24h), medium-term (1-7 days) and long-term (>7 days) actions — not just "switch to the alternate site".
Crisis communication plan — the most-overlooked section
BCPs that fail in the real world fail most often in communication. The system can be recovering on schedule and the customer relationship can still die because nobody told the customer.
The crisis communication plan should include:
- Stakeholder list — customers (segmented by criticality), suppliers, regulators, employees, insurers, board.
- Escalation matrix — who tells whom, with explicit decision rights for "go public" decisions.
- Holding-statement templates — pre-drafted messages for the first 4-12 hours, before facts are clear.
- Notification timing per stakeholder — for NIS2 in-scope incidents this includes the 24-hour early warning to the competent authority and the 72-hour incident notification (Article 23). Personal-data breaches under GDPR Article 33 require ICO notification within 72 hours.
- Channels — primary and backup. If the email system is down, you need a separate channel.
Roles right-sized to your headcount
An enterprise BCP has a Crisis Management Team, an Incident Response Team, a Recovery Team, a Communications Team, plus liaison roles for HR, Legal and Finance. At a 30-employee SME, this is fiction.
The right approach for SME headcount: 3-4 named roles played by named individuals.
- Crisis Manager — typically the Managing Director or Operations Director. Decision authority during the incident.
- Recovery Lead — typically the IT Manager or external MSP lead. Drives the technical recovery.
- Communications Lead — typically the Marketing Lead or Operations Director. Owns external messaging.
- Documentation / Coordination — typically a senior administrator. Logs decisions, captures lessons, coordinates the team.
Document who plays each role primarily and who plays it as backup. Refresh quarterly because people leave.
Test, exercise, maintain — the cadence regulators expect
An untested BCP is an untested theory. Regulators (NIS2 competent authorities, FCA supervisors, ICO) are increasingly explicit about what tested means.
The minimum credible programme:
- Tabletop exercise — annual — 2-3 hour walk-through of a scenario with the named team. Cheap. Powerful for building muscle memory.
- Component test — annual — actually restore a backup, fail over a single service, exercise an alternate supplier. Tests one element at a time.
- Full continuity test — biennial — simulate the full incident with timed recovery against the stated RTO. Most expensive; most informative.
- After-action review — every exercise produces a short written review of what worked, what did not, and what changes to make. The reviews are retained and feed the next BCP revision.
For NIS2 Article 21(2)(c) compliance, evidence of recent testing — at least one tabletop in the last 12 months, with documented findings — is increasingly the auditor's first ask.
Four mistakes that destroy SME BCPs
Mistake 1 — RTOs that no infrastructure supports
The BCP says 1-hour RTO; the backup runs nightly; the restore time has never been measured; nobody on the team has ever recovered the system in production. The first incident proves the RTO was fiction.
Fix: measure your actual restore time on a real test. State the measured number as the current RTO. Plan investment to improve it where the business case justifies.
Mistake 2 — BCP owned by IT, not the business
An IT-owned BCP focuses on systems recovery and ignores process continuity. The systems come back; the team has not run the manual workaround in 18 months and nobody remembers how. Customer commitments are missed.
Fix: the BCP owner is the COO or equivalent. IT delivers the systems-recovery portion. Each business unit owns its process-continuity portion.
Mistake 3 — single-document BCP, never opened
A 90-page Word document on a SharePoint site that nobody has read since it was approved 18 months ago. The team that wrote it has half left. The procedures inside refer to systems that have been replaced.
Fix: the BCP is a living document with explicit annual review, named-person responsibility, and concrete update triggers (substantial system change, new critical supplier, headcount change >20%, ownership change, regulatory change).
Mistake 4 — communications-plan-as-afterthought
The BCP covers technical recovery in detail and the communications plan is half a page. In practice, communications is the part that decides whether the customer relationship survives the incident.
Fix: dedicate at least as many pages to communications as to technical recovery. Pre-draft holding statements. Run tabletop exercises that focus specifically on communication, not just system failover.
What audit-ready looks like
An ISO 22301-aligned BCP that survives a stage-1 readiness audit:
- Documented BIA with concrete RTOs and RPOs per critical process
- Explicit continuity strategy per process with sized recovery infrastructure
- Recovery procedures with timelines (0-4h / 4-24h / 1-7 days / >7 days)
- Crisis communication plan with stakeholder list, escalation matrix, holding-statement templates
- Named roles right-sized to headcount with primary and backup people
- 12-month exercise programme with at least one tabletop and one component test
- Recent after-action review documenting last exercise and improvement actions
- NIS2 Article 21(2)(c) compliance mapping (where applicable) and ISO 22301 clause-by-clause mapping
- Document control with version, effective date, owner, approver, next review
How long does this take to produce?
From scratch with no template, a competent practitioner takes 40-60 hours over 4-6 weeks. With a regulation-aware template and the BIA intake completed honestly, the same artefact takes 5-10 hours over a week. With AI-assisted drafting that takes the BIA intake and produces a tailored first draft, the same artefact takes 24-36 hours of elapsed time including review.
The practical sequence: complete the BIA intake honestly (30-45 minutes); produce the AI-drafted plan; book a 90-minute review meeting with the BCM team to validate sector-specific assumptions and refine RTO/RPO targets; finalise.
Where SummitBridge Horizon fits
BCP Builder produces an audit-ready Business Continuity Plan tailored to your business, drafted from a 14-question BIA intake by Claude Opus 4.7. ISO 22301 clause mapping and NIS2 Article 21(2)(c) compliance mapping included. £79 one-time, 36-hour delivery.
For organisations needing an on-site BIA workshop, ISO 22301 certification readiness audit, multi-site or multi-country BCP, or sector-specific advisory (DORA enhanced, FCA enhanced operational resilience, NHS Trust-level), our advisory team takes it further from £950.
Need help with this?
Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.
Book a Free Consultation