1.A CSD shall conduct a business impact analysis to:
(a)prepare a list with all the processes and activities that contribute to the delivery of the services it provides;
(b)identify and create an inventory of all the components of its IT system that support the processes and activities identified in point (a) as well as their respective interdependencies;
(c)identify and document qualitative and quantitative impacts of a disaster recovery scenario to each process and activity referred to in point (a) and how the impacts change over time in case of disruption;
(d)define and document the minimum service levels considered acceptable and adequate from the perspective of the users of the CSD;
(e)identify and document the minimum resource requirements concerning personnel and skills, work space and IT to perform each critical function at the minimum acceptable level.
2.A CSD shall conduct a risk analysis to identify how various scenarios affect the continuity of its critical operations.
3.A CSD shall ensure that its business impact analysis and risk analysis fulfil all of the following requirements:
(a)they are kept up to date;
(b)they are reviewed following a material incident or significant operational changes and, at least, annually;
(c)they take into account all relevant developments, including market and IT developments.