---
title: NIS2 Disaster Recovery Plan Guide
description: How to build an approvable NIS2 disaster recovery plan. Practical guide with RTO/RPO targets, recovery procedures, and testing requirements.
canonical: https://www.aegister.com/en/cms/insights/nis2-disaster-recovery-plan-id-im-04/
url: /en/cms/insights/nis2-disaster-recovery-plan-id-im-04/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 disaster recovery plan: practical guide for an approvable ID.IM-04 document

---

![NIS2 disaster recovery plan: practical guide for an approvable ID.IM-04 document](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 disaster recovery plan: practical guide for an approvable ID.IM-04 document

February 06, 2026

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
[board approval](/en/cms/keyword/board-approval/)
[ACN](/en/cms/keyword/acn/)
+5

Under the ACN baseline framework, the disaster recovery plan is explicitly listed among the documents that require approval by management and directive bodies (Appendix C, ID.IM-04 point 1).

For timeline alignment, incident notification obligations are already live from January 2026, while the broader baseline implementation horizon for many organizational measures points to October 2026. A DR plan should therefore be operationally usable now, not only prepared for formal deadline readiness.

## Key takeaways

- The DR plan is a governed and approvable document, not just a technical runbook.
- ID.IM-04 expectations connect continuity, disaster recovery, and crisis handling in one coherent control area.
- Recovery targets and sequencing must be explicit, testable, and evidenced.
- Supplier and infrastructure dependencies are part of DR credibility.

## Regulatory framing for disaster recovery in NIS2

The ACN guidance groups continuity of operations, backup management, disaster restoration, and crisis management under the same baseline area. In practice, a disaster recovery plan should define how critical systems and data are restored after severe disruption, with clear interfaces to continuity and incident governance.

A common compliance gap is documenting backup existence without restoration governance. Regulators typically expect proof that restoration priorities, ownership, and verification are defined and exercised.

## What an approvable disaster recovery plan should contain

| Section | Why it matters for ID.IM-04 execution |
| --- | --- |
| Recovery scope and critical assets | Defines which systems/data must be restored first |
| Disaster declaration criteria | Clarifies escalation threshold and activation authority |
| Recovery sequence and dependencies | Prevents uncoordinated restoration and hidden blockers |
| Backup and restore controls | Links recovery execution to data integrity and usability |
| Roles across IT, security, and business | Establishes accountable decision flow during disruption |
| Third-party and cloud dependencies | Addresses external recovery constraints |
| Test evidence and improvement actions | Demonstrates real operability of the DR model |

## Practical structure from the Aegister template approach

### 1. Objective, scope, and references

Define disaster scenarios covered, system perimeter, and normative baseline.

### 2. Critical systems and restoration priorities

Map applications, infrastructure, and data classes by business criticality.

### 3. Governance and activation model

Set activation authority, decision rights, and escalation chain.

### 4. Technical restoration playbooks

Describe restore steps, validation checks, fallback options, and rollback criteria.

### 5. Dependency and supplier recovery assumptions

Document cloud/provider constraints, support windows, and contingency options.

### 6. Recovery validation and service handback

Define acceptance criteria before returning to normal operations.

### 7. Evidence registry and review cadence

Track tests, incidents, outcomes, and management reporting.

## Common DR quality gaps to avoid

- Backup policy documented, but no tested restore sequence.
- Recovery priorities not aligned with business criticality.
- Activation criteria missing or too generic.
- Roles unclear between CISO, IT operations, and business owners.
- No auditable evidence from exercises and post-event reviews.

## 20-day hardening checklist

| Week | Priority actions |
| --- | --- |
| Week 1 | Confirm disaster scenarios, critical assets, and recovery tiers |
| Week 2 | Define activation/escalation and complete restoration playbooks |
| Week 3 | Execute test cycle, capture evidence, and close key corrective actions |

## FAQ

### Is the disaster recovery plan subject to formal approval by management bodies?

Yes. Appendix C includes the disaster recovery plan among the documents requiring approval by management and directive bodies (ID.IM-04 point 1).

### Is backup documentation alone sufficient for DR compliance?

No. Backup controls are necessary, but DR governance also requires clear restoration logic, ownership, and verification evidence.

### What is the minimum practical output expected from a DR plan?

An executable recovery model with declared triggers, priority restoration sequence, and traceable test evidence.

## Conclusion and next steps

A NIS2 disaster recovery plan should combine governance approval with operational execution discipline. Organizations that formalize restoration priorities, activation criteria, and proof-of-test cycles early are better positioned for October 2026 readiness while supporting live incident obligations already active.

## Related reading

- [NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/)
- [NIS2 business continuity plan: practical guide to build an approvable ID.IM-04 document](/en/cms/insights/nis2-business-continuity-plan-id-im-04/)
- [NIS2 Recovery Controls (RC): Operational Resilience and Service Restoration](/en/cms/insights/nis2-recovery-rc-operational-resilience/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)

## Official sources

- [ACN – Guida alla lettura delle specifiche di base](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)
- [ACN – Determinazione obblighi di base 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [ACN – Modalità e specifiche di base](https://www.acn.gov.it/portale/nis/modalita-specifiche-base)
- [Gazzetta Ufficiale – Decreto Legislativo 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

Share this post

## Related News

[![NIS2 business continuity plan: practical guide to build an approvable ID.IM-04 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-business-continuity-plan-id-im-04/)

[NIS2 business continuity plan: practical guide to build an approvable ID.IM-04 document](/en/cms/insights/nis2-business-continuity-plan-id-im-04/)

[The business continuity plan is mandatory under NIS2 Appendix C (ID.IM-04). This guide covers what an approvable plan must include, a practical template structure with activation triggers and playbooks, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-business-continuity-plan-id-im-04/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 crisis management plan: practical guide for an approvable ID.IM-04 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-crisis-management-plan-id-im-04/)

[NIS2 crisis management plan: practical guide for an approvable ID.IM-04 document](/en/cms/insights/nis2-crisis-management-plan-id-im-04/)

[The crisis management plan is mandatory under NIS2 Appendix C (ID.IM-04). This guide covers what an approvable plan must contain, a practical template with CMT roles and communication playbooks, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-crisis-management-plan-id-im-04/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[The incident management plan is mandatory under NIS2 Appendix C (RS.MA-01). This guide covers what an approvable plan must include, a practical template with CSIRT notification workflow and timing logic, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+8

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)