1. A CSD shall conduct a business impact analysis to:

(a) prepare a list with all the processes and activities that contribute to the delivery of the services it provides;

(b) identify and create an inventory of all the components of its IT system that support the processes and activities identified in point (a) as well as their respective interdependencies;

(c) identify and document qualitative and quantitative impacts of a disaster recovery scenario to each process and activity referred to in point (a) and how the impacts change over time in case of disruption;

(d) define and document the minimum service levels considered acceptable and adequate from the perspective of the users of the CSD;

(e) identify and document the minimum resource requirements concerning personnel and skills, work space and IT to perform each critical function at the minimum acceptable level.

2. A CSD shall conduct a risk analysis to identify how various scenarios affect the continuity of its critical operations.

3. A CSD shall ensure that its business impact analysis and risk analysis fulfil all of the following requirements:

(a) they are kept up to date;

(b) they are reviewed following a material incident or significant operational changes and, at least, annually;