Response and recovery

Article 11 addresses what happens when prevention and detection measures are insufficient — the entity must be prepared to respond to and recover from ICT disruptions. This article is where DORA's operational resilience focus becomes most tangible, moving beyond security controls to the continuity of financial services.

Financial entities must establish comprehensive ICT business continuity policies that set the overarching framework for maintaining operations during disruptions. These policies must be complemented by specific ICT response and recovery plans that provide actionable procedures for different disruption scenarios — from localized system failures to widespread cyber attacks.

Recovery plans must cover all critical or important functions, with defined recovery time objectives (RTOs) and recovery point objectives (RPOs) that reflect the entity's risk appetite and regulatory obligations. Critically, these plans must account for third-party dependencies. If a cloud provider or critical vendor is disrupted, the entity's recovery plan must include provisions for operating without that provider or switching to alternatives.

Annual testing of business continuity and recovery plans is mandatory. These tests must go beyond tabletop exercises for critical functions, involving actual failover tests, switchover to backup sites, and validation that recovery objectives can be met in practice. Test results must be documented, reported to management, and used to improve the plans. Identified gaps must be remediated within defined timelines.