Business continuity plan under the ENS: 2026 guide.

A cybersecurity incident, a natural disaster, a hardware failure or a pandemic can paralyse an organisation in minutes. The question is not whether it will happen, but how prepared you are when it does. A Business Continuity Plan (BCP) is the structured response that allows you to keep critical services operating and recover the rest in a controlled way.

What the ENS requires on business continuity

The ENS (Spanish National Security Framework) dedicates control op.cont to operational continuity. The requirements scale by category: at BASIC, the existence of a continuity plan must be documented and verified; at MEDIUM, the plan must be tested with periodic drills and updated based on results; at HIGH, the plan must include alternative sites, RTO and RPO objectives aligned with the business impact analysis, and full annual drills.

BCP vs DRP: complementary, not synonymous

The terms are often confused but address different scopes. The BCP (Business Continuity Plan) covers the entire organisation: people, processes, suppliers, communication, alternative sites. The DRP (Disaster Recovery Plan) focuses on the technological infrastructure: systems, data, networks and applications. The DRP is a subset of the BCP. Both are needed.

Step 1: Business Impact Analysis (BIA)

The BIA is the analytical foundation of the plan. It answers three questions: which business processes are critical, what dependencies do they have, and what is the impact of each hour of disruption?

For each critical process, define the maximum tolerable downtime (MTD), the recovery time objective (RTO, how quickly we must be operational again) and the recovery point objective (RPO, how much data we can afford to lose). A typical e-commerce process may have RTO=2 hours, RPO=15 minutes. A monthly payroll process may have RTO=48 hours, RPO=24 hours.

Step 2: Recovery strategies

Once the requirements are known, design specific recovery strategies for each process. The available options scale by complexity and cost.

• Cold site: empty alternative facilities with basic infrastructure. Activation in days. Cheap.
• Warm site: alternative facilities with pre-installed hardware and partial data. Activation in hours. Intermediate cost.
• Hot site: alternative facilities with real-time data replication. Activation in minutes. Expensive.
• Cloud-based recovery: replication to a public cloud, with on-demand activation. Flexible cost based on use.

Step 3: Crisis communication

A common deficiency in BCPs is the absence of a clear communication plan. Define in advance: who communicates what to whom; up-to-date contact lists (internal team, suppliers, customers, regulators, media); off-channel communication channels (if email is down); message templates for each scenario; and the institutional spokesperson for media. Communication failures multiply the reputational impact of incidents.

Step 4: Detailed recovery procedures

For each critical process, document: trigger criteria for activation, the responsible person and their alternates, the step-by-step procedure, the resources needed (people, equipment, suppliers), recovery success criteria, and the return-to-normal procedure. Detailed runbooks reduce decision-making time under pressure.

Step 5: Drills and continual improvement

A BCP that is not tested is a paper plan that will fail when it is needed. Design progressive drills: tabletop exercises (review of scenarios with the team, 2-4 hours, low cost), simulations (technical execution of part of the plan, 1 day, moderate cost) and full drills (real-life execution of the full plan, several days, high cost).

Document results, identify deficiencies and update the plan. An untested plan is worse than no plan, because it generates a false sense of security.

Integration with cybersecurity

Ransomware has made the BCP critical for cybersecurity. An attack that encrypts all systems forces immediate activation. Ensure that: backups are isolated from the production network (the attacker should not reach them), the plan addresses massive ransomware scenarios (multi-system encryption), the recovery procedure does not depend on the compromised infrastructure, and ransomware-specific drills are conducted periodically.

Documentation and governance

The plan must be approved by management, reviewed at least annually and updated after any significant change in the organisation or the technological environment. Define clear roles: continuity manager, business representatives by area, technical responders. Maintain accessible copies of the plan, including off-site copies. Cybersecurity incident management ENS: protocol.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

What is the difference between BCP and DRP?

The BCP covers the entire organisation (people, processes, suppliers, communication); the DRP focuses on the technological infrastructure (systems, data, networks, applications). The DRP is a subset of the BCP and both are needed.

What are RTO and RPO?

RTO (Recovery Time Objective) is the time it takes to recover a process. RPO (Recovery Point Objective) is the maximum amount of data the organisation can afford to lose. They are defined per critical process during the BIA.

Who must comply with the ENS?

All bodies of the Spanish Public Administration and private suppliers providing ICT services to the public sector. Control op.cont applies to all of them, with requirements that scale by category (BASIC, MEDIUM, HIGH).

How often do I have to test the plan?

At least once a year, with a combination of tabletop exercises, partial simulations and full drills. The plan must be updated based on the results.