1.   A CSD shall have in place arrangements to ensure the continuity of its critical operations in disaster scenarios, including natural disasters, pandemic situations, physical attacks, intrusions, terrorist attacks, and cyber-attacks. Those arrangements shall ensure:

(a)	the availability of adequate human resources;

(b)	the availability of sufficient financial resources;

(c)	the failover, recovery and resuming of operations in a secondary processing site.

2.   The CSD's disaster recovery plan shall identify and include a recovery-time objective for critical operations and determine for each critical operation the most suitable recovery strategies. The recovery-time objective for each critical operation shall not be longer than two hours. The CSD shall ensure that back-up systems commence processing without undue delay unless this would jeopardise the integrity of the securities issues or the confidentiality of the data maintained by the CSD. A CSD shall ensure that two hours from a disruption, it is capable of resuming its critical operations. In determining the recovery times for each operation, the CSD shall take into account the potential overall impact on the market efficiency. Those arrangements shall at least ensure that, in extreme scenarios, agreed service levels are met.

3.   A CSD shall maintain at least a secondary processing site with sufficient resources, capabilities, functionalities and staffing arrangements, which are adequate to the CSD's operational needs and risks that the CSD faces in order to ensure continuity of critical operations, at least in case the main location of business is not available.

The secondary processing site shall:

(a)	provide the level of services necessary to ensure that the CSD performs its critical operations within the recovery time objective;

(b)	be located at a geographical distance from the primary processing site that allows the secondary processing site to have a distinct risk profile and prevents it from being affected by the event affecting the primary processing site;

(c)	is immediately accessible by the CSD's staff in order to ensure continuity of its critical operations where the primary processing site is not available.

4.   A CSD shall develop and maintain detailed procedures and plans concerning:

(a)	the identification, logging and reporting of all disruptive events for the operations of the CSD;

(b)	response measures to operational incidents and emergency situations;

(c)	the assessment of damages, and appropriate plans for activating the response measures referred to in point (b);

(d)	crisis management and communications, including appropriate contact points, to ensure that reliable and up to date information is transmitted to relevant stakeholders and the competent authority;

(e)	the activation and transition to alternative operational and business sites;

(f)	IT recovery, including activation of the secondary IT processing site and failover.