Establish an ICT business continuity policy that enables the continuity of critical or important functions, ensures rapid response to incidents, facilitates the resumption of activities, deployment of containment measures, activation and deactivation of response and recovery procedures, estimation of impact, damage, and losses, and provides clear communication to relevant stakeholders. Regularly review the business continuity policy and make necessary adjustments to enhance effectiveness.

Refer to Articles 24.2-4 of the RTS RM for specific requirements for Central counterparties, Trading venues, and Central security depositories.

Establish comprehensive response and recovery plans encompassing short-term and long-term recovery options. These plans must thoroughly identify potential scenarios and shall duly take into account scenarios of cyber-attacks, switchovers, degradation of critical function provision, premises failure, breakdowns in ICT assets or communication infrastructure, staff unavailability, natural disasters and the impact of climate change, pandemic situations, physical attacks, insider threats, political or social instability, and power outages. Additionally, these plans must incorporate alternative options in cases where primary recovery measures are impractical in the short term due to factors such as cost, risks, logistics, or unforeseen circumstances. Address potential failures of key ICT third-party service providers into the plans.

Regularly test ICT business continuity, response, and recovery plans, particularly in collaboration with third-party service providers supporting critical or important functions. Testing should  take into account the financial entity’s BIA and the ICT risk assessment and occur on a yearly basis and whenever there are significant changes to systems supporting critical or important functions. 
Tests must be based on realistic scenarios and encompass scenarios like cyber attacks, insolvency or failure of the third-party, backup restores, and switchover between primary and redundant processing sites. 
The testing shall verify whether at least critical or important functions can be operated appropriately, for a sufficient period of time and whether the normal functioning (of the business process) may be restored. Conduct testing of crisis communication plans to ensure effective communication strategies during a crisis or major disruption. Document test results and report any identified deficiencies resulting from the tests to the management body.

Refer to Articles 24.2-3 of the RTS RM for the specific requirements for Central counterparties and Central security depositories.

Manage third-party risks proportionate to dependency nature, service-related risks, and impact on entity's continuity and availability in case of disruption. Implement a policy for critical function ICT services provided by third-party service providers, considering the location of the service provider (or its parent company), the level of assurance regarding the service providers' risk management framework (including risk mitigation and business continuity measures), the nature of the data shared with the service provider, the location of data processing and storage, group affiliation of the service provider, and the potential impact of the risks and disruptions on the continuity and availability on the activities of the entity. Test response and recovery of critical function-supporting services provided by third parties.

Perform pre-contract risk assessment. This assessment must assess if: the contract covers services supporting critical or important functions, a service provider is easily replaceable, the risks of sub-contracting are covered, the risks of outsourcing service to a third-country are covered, the risks of bankruptcy are covered on the side of the service provider, supervisory conditions for contracting are met, all contractual risks are identified and assessed (e.g., to cover for ICT concentration risks), the service provider is suitable, and if there are conflicts of interest. Assess service provider resources for ensuring entity compliance with all legal and regulatory requirements.

Develop and periodically test exit strategies and plans, considering risks related to third-party service providers, including potential failure, service quality deterioration, business disruption, and termination of contractual arrangements. Ensure that the exit plan is realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the relevant contractual arrangements. Also, ensure smooth exit and workload migration to another service provider without business disruption, compliance loss, or service quality decline.

The DORA Taskforce has designed an exit plan template that could be of assistence, see: https://www.norea.nl/dora/dora-template-exit-plan