22.04.2026

–

Blog

Business continuity plan in accordance with BSI Standard 200-4: How SMEs ensure their business continuity

Imagine this: It's Tuesday morning. The sales manager of a medium-sized mechanical engineering company wants to answer an urgent request for quotation – but her inbox isn't loading. Colleagues in the open-plan office stare at their screens, perplexed. The managing director's phone is ringing: An important customer from France can no longer reach anyone by email.

Shortly afterwards, it becomes clear that a cyber attack has paralysed the company's communication system overnight. No one has access to the inbox, the video conferencing tool or the address book. Even the calendar with today's appointments is affected. Nobody knows who to inform. No one can reach their colleagues in the home office.

The managing director is faced with an existential question: "How do we communicate now – with our employees, with customers, with suppliers?" Every hour without an answer costs trust, orders and possibly the company itself in the end.

Blog mailbox EVAC Business Continuity Plan according to BSI Standard 200-4 BCM for SMEs

SMEs are the most frequent target of high-impact cyberattacks

This scenario is not theoretical. It is part of everyday life in small and medium-sized enterprises (SMEs). According to the BSI's situation report on IT security in Germany 2025, 80% of reported attacks were directed against SMEs in the reporting period. Small and medium-sized enterprises do not have the security budgets of large corporations at their disposal. And while large companies have well-established crisis teams and fallback systems, SMEs are usually hit as cold as ice: if the email service is down, the whole business is down.

What does this mean for you? The question is not whether your company will be in this situation one day, but when – and whether you will still be able to act. This is precisely where a business continuity plan in accordance with BSI Standard 200-4 comes in – the methodical basis for effective business continuity management (BCM) in small and medium-sized companies.

The NIS-2 Implementation Act has been in force in Germany since 6 December 2025 – without a transition period. Around 29,500 companies must now prove that they operate a structured business continuity management (BCM) system. BSI Standard 200-4 provides the methodological framework for this.

What is a business continuity plan – and why SMEs need one?

A business continuity plan (BCP) systematically describes how a company maintains or restores its critical processes as quickly as possible in the event of serious disruptions – from cyber attacks to power outages and natural disasters. It is the core result of a comprehensive Business Continuity Management System (BCMS).

BCM goes far beyond traditional IT contingency plans and backup concepts. It considers the interaction between organisation, technology, building infrastructure and personnel. After all, the best backup is of little use in an emergency if no one knows who decides which channel to use to communicate and which processes need to be restarted first.

For SMEs, a business continuity plan is doubly valuable: it not only secures their existence in the event of an emergency, but also fulfils the central requirements of the NIS 2 Implementation Act for business continuity management in SMEs.

BSI Standard 200-4: The guide for your BCM

The BSI Standard 200-4 was published by the German Federal Office for Information Security (BSI) in June 2023 and replaces its predecessor BSI Standard 100-4. It is based on the international standard ISO 22301:2019 and offers practical guidance for setting up a BCMS – regardless of industry and company size.

BCM according to BSI 200-4 is not a project – it's a cycle

Many companies view BCM as a project with a beginning and an end – write an emergency manual, file it, done. BSI Standard 200-4 deliberately counters this with a different model: the PDCA cycle (Plan-Do-Check-Act), which is also the basis of ISO 22301.

BCM is a continuous process in four phases:

Plan: Define context and objectives, carry out business impact analysis (BIA) and risk analyses, develop emergency strategies.
Do: Implement measures, i.e. document emergency plans, form a crisis team, train employees, set up backup systems.
Check: Check effectiveness, i.e. carry out exercises, evaluate key figures, internal audits, lessons learnt from real incidents.
Act: Improve and adapt, i.e. incorporate findings, update plans, include new risks.

This approach is a relief for SMEs: they do not have to present a perfect BCM on the first day. It is enough to enter the cycle – and get better with every round.

mailbox EVAC GFP BSI Standard 200-4 PDCA Cycle

The staged model of BSI Standard 200-4: Customised entry

A key feature of the standard is its three-stage approach, which enables companies to get started flexibly:

Reactive BCMS (4–8 weeks): Immediate measures and emergency contacts. Fulfils the NIS 2 minimum requirement and creates a basis for further expansion.
Build-up BCMS (3–6 months): Complete business impact analysis (BIA), risk analyses and initial emergency plans. Critical processes are identified and recovery times are defined.
Standard BCMS (6–12 months): Comprehensive, ISO 22301-compliant BCM with regular exercises, analyses and continuous improvement.

This step-by-step approach is particularly attractive for medium-sized companies: you can start quickly with the reactive stage and gradually expand your BCM – without having to manage a major project from the outset.

The three phases of an incident: from alarm to normal operation

The BSI Standard 200-4 does not think of incidents as a single moment, but as a time course with clearly distinguishable phases. This model helps enormously in structuring emergency plans in a meaningful way – and shows why some precautions must take effect immediately, while others only become relevant days later:

1. Immediate reaction

Minutes to hours: Recognise and contain damage, convene crisis team, start initial internal and external communication, check reporting obligations (for NIS-2: 24-hour early warning to the BSI).

2. Emergency operation

Hours to weeks: Critical processes continue to run at a defined minimum level (MBCO) – often with alternative systems, reduced functions or manual processes. Customers, suppliers and employees must be kept informed at all times.

3. Restart & return

Days to months: Step-by-step restoration of regular systems and processes, follow-up, evaluation and incorporation of the findings into the BCM (back into the PDCA cycle)

Important: Effective communication is a basic requirement in all three phases. If you cannot reach your crisis team during the immediate response or cannot inform customers during emergency operations, you will lose valuable time – and the trust of your stakeholders.

The Business Impact Analysis: The centrepiece of BSI Standard 200-4

The Business Impact Analysis (BIA) is the central tool in BSI Standard 200-4. It answers the key questions:

Which business processes are time-critical?
What dependencies exist (IT systems, personnel, service providers, buildings)?
What is the maximum time a process can be down before damage that threatens the company's existence occurs?
At what minimum level must operations continue in an emergency?

In practice, a BIA typically involves five steps:

Capturing business processes: A structured inventory of all key processes – from incoming orders to production and invoicing. Important: This also includes supporting processes such as human resources or IT support.
Evaluate damage scenarios: The consequences of a failure after 1 hour, 1 day, 1 week are checked for each process – financially, legally, reputationally and with regard to customers and employees.
Map dependencies: Which IT systems, service providers, premises, key personnel and external communication channels does each process need? This is often where the biggest blind spots are discovered.
Determine key figures: MTPD, RTO, RPO and MBCO are defined for each critical process (see overview below). These values later form the basis for all restart plans.
Prioritise and document: The results are summarised in a BIA report. This forms the basis for all further BCM decisions. The BSI provides free templates and a BIA evaluation form for this purpose.

Four key figures that every company should know:

MTPD: Maximum Tolerable Period of Disruption

RTO: Recovery Time Objective

RPO: Recovery Point Objective (Maximum tolerable data loss)

MBCO: Minimum Business Continuity Objective (Minimum performance in emergency operation)

An example from a medium-sized retail company makes the BIA tangible:

The "order acceptance and confirmation" process runs entirely via email and the ERP system. The BIA shows: After 4 hours without customer communication, the first orders migrate to the competition, after 2 days there is a threat of contractual penalties, after a week key customers are irreparably annoyed.

The key figures could look like this:

MTPD = 48 hours
RTO = 4 hours
RPO = 1 hour
MBCO = order acceptance via alternative channel with reduced capacity

It is precisely these values that provide the benchmark for investments in backup systems, backup communication and personnel planning.

NIS-2 makes BCM a legal requirement

With the NIS-2 Implementation Act coming into force on 6 December 2025, business continuity management is a legal requirement for a significantly expanded group of companies in Germany. § 30 para. 2 no. 3 BSIG explicitly requires measures to maintain operations, including backup management, recovery and crisis management.

What this means for you:

Around 29,500 companies in Germany are affected – this means an increase from around 4,500 regulated organisations to date.
There are no transition periods: the requirements apply immediately.
Management is personally liable and is obliged to undergo cyber security training.
Failure to comply could result in fines of up to 10 million euros or 2 % of annual global turnover.

In relation to NIS-2, BSI Standard 200-4 is not a requirement, but a recognised methodology. Those who align their BCM with it create a reliable basis for demonstrably fulfilling the NIS-2 requirements.

NIS-2: Affectedness, obligations & sanctions

Find out more about the NIS-2 Implementation Act

The underestimated weak point: communication in an emergency

Many emergency scenarios reveal a critical gap: Organisations plan restart processes and backup strategies, but overlook the fundamental issue of communication skills. How do companies and authorities communicate when the primary means of communication fail?

In the event of a ransomware attack, for example, it is often not only business data that is affected, but also email systems, collaboration platforms and video conferencing solutions. As a result, the crisis team is unable to coordinate, employees receive no instructions and customers and partners remain in the dark.

A business continuity plan in accordance with BSI 200-4 must therefore also include an answer to this question: What secondary communication system is available if the primary system is no longer usable?

EVAC by mailbox: communication capability at the touch of a button

It is precisely for this scenario that mailbox has developed EVAC – an immediately deployable, secondary communication platform for companies and public authorities. EVAC can be activated at the touch of a button when regular IT communication tools are no longer available during a cyber emergency.

What EVAC includes:

Secure email communication – regardless of your compromised infrastructure
Video conferencing – for crisis team meetings, coordination and online meetings with external stakeholders
Cloud storage – for sharing important documents during emergency operations
Calendar, address book and online office tools – for basic work capability

EVAC in the BCM context

EVAC is not a replacement infrastructure for continuous operation, but a targeted building block in your business continuity plan: the solution for communication capability in an emergency. As an external, independent system, EVAC is not affected by an attack on your primary IT – and that is precisely what makes it so valuable.

Conclusion: Preparation beats reaction

The BSI Standard 200-4 makes business continuity management tangible and feasible – even for companies that have not yet implemented formal BCM. With the three-stage model, you can get started quickly and gradually build up a resilient system.

The decisive factor is: don't wait for an emergency. The NIS-2 requirements apply now. And the question of whether your company remains capable of communicating and acting after a cyberattack should not be answered in the crisis team – but today, in your business continuity plan.

Five steps to a business continuity plan

Would you like to start with your BCM or improve existing measures? These five steps are based on BSI Standard 200-4:

Clarify responsibility: BCM is a matter for the boss. Appoint a responsible person (BCM officer) and ensure that the management actively supports the topic.
Carry out a business impact analysis: Identify your time-critical business processes, their dependencies and the maximum tolerable downtimes. The BSI provides free templates for this purpose.
Ensure emergency communication: Define a secondary communication channel that works independently of your primary IT - for example with a solution such as EVAC from mailbox.
Create recovery plans: For each critical process, document what the emergency operation looks like and what steps are necessary for recovery.
Regularly practise and improve: A plan that is never tested is worthless in an emergency. Carry out regular BCM exercises and adapt your plans to changing conditions.

What is a business continuity plan?

A business continuity plan (BCM) is a documented action plan that describes how a company maintains its critical business processes after a serious disruption or restores them in the shortest possible time. It is the central result of a business continuity management system (BCMS) in accordance with BSI standard 200-4.

Is BCM according to BSI 200-4 mandatory for SMEs?

Since 6 December 2025, the NIS-2 Implementation Act has required around 29,500 companies in Germany to have structured business continuity management. Many medium-sized companies with 50 or more employees or a turnover of 10 million euros or more in the affected sectors are among them. BSI Standard 200-4 is not a legal requirement, but it is the recognised methodology for verifiably fulfilling the NIS-2 requirements.

How long does it take to set up a BCM in accordance with BSI 200-4?

Thanks to the three-stage model, SMEs can establish a reactive BCMS that fulfils the NIS-2 minimum requirements in just four to eight weeks. It takes three to six months to set up a complete reactive BCMS and six to 12 months for a comprehensive standard BCMS.

What role does emergency communication play in the business continuity plan?

Emergency communication is crucial in all phases of a disruption. BSI standard 200-4 requires that companies can continue to communicate with employees, customers and authorities even if their primary IT system fails. Secondary communication platforms such as EVAC from mailbox close precisely this gap.