One morning, the servers fall. Access is blocked, encrypted files, tools inaccessible. Nothing works anymore. In the following hour, the company changes in an emergency. And in these moments, what distinguishes an organization that resists an organization that collapses is not the size, the sector, or even the budget. It is The level of preparation. And this goes through a now essential tool: the Activity continuity planor PCA.
PCA, operating insurance under constraint
The PCA is too often misunderstood or poorly positioned. It is neither a compliance document to be classified in a filing bookman, nor a simple computer backup. The activity continuity plan is a Structured strategythought to maintain what is vital to the company in the event of a sudden rupture – whether it is a cyber attack, a massive breakdown, a network cut or the unavailability of a key provider.
It is not aimed at saving everything, but saving the essentials. Produce, invoice, pay, respond to customers, secure sensitive data, the PCA allows you to hold up. It does not guarantee invulnerability, but it makes vulnerability manageable.
What a good PCA contains
Building a PCA returns to anticipate the unacceptable. It is first necessary to identify the critical functions, those whose interruption would immediately put activity in danger. This cartography must be fine, validated by business directions, and updated at each change of organization.
From there, two parameters become structuring, the Rto (Recovery Time Objective), which defines the maximum tolerable stop time, and the Rpo (Recovery Objective Point), which defines the maximum amount of data that can be affected to lose. These two thresholds then guide architecture choices, redundancy investments, withdrawal solutions.
The plan must then detail the rupture scenarios To consider: Datacenter, ransomware, supplier failure, internal malicious malice. For each scenario, the answers must be written, tested, known. Where are the copies of the data stored? What access is available in degraded mode? How to communicate if messaging is unavailable? What if the website is offline?
The PCA also incorporates emergency procedures, Information circulation, priority contacts, alternative operating modes. It contains tools (email models, reflex sheets, communication scripts), Scenarios testedand a clear governance.
Who pilots the PCA and with whom to bring it to life?
The PCA is not an IT project, it is transverse By nature, because it touches all the workings of the organization.
There Directorate General must be the guarantor. It is she who gives the impetus, referee the priorities and validates the means. In crisis, it is she who carries the final responsibility. Then a PCA manager Or risk manager Coordinating operational deployment, it is he who writes, tests, adjusts, and ensures that the plan remains up to date.
But a PCA only works if all stakeholders are engaged. There Dsi is on the front line for everything related to infrastructure, security, tools, PRA (activity plan). THE business departments define their critical needs and validate the rescue processes. THE HR Organize the mobilization of teams, ensure the continuity of pay, and manage internal communication.
There Compliance and legal Check regulatory coverage, in particular on personal data (GDPR), CNIL notifications or AMF or ACPR requirements if you are in a regulated sector. There communicationfinally, is responsible for the clarity and consistency of the messages transmitted internally, customers, partners, even to the media.
And we must not forget the Critical providers. In an interconnected world, no business can survive alone. Software, accommodation, accounting or HR management suppliers must also be integrated into the plan. Do they have a PCA? Are they able to switch to degraded mode? Do they have an emergency number, an identified contact, contractual commitments? These questions must be asked upstream, not during the crisis.
Prepare, test, repeat
A continuity plan is only valid if it is known and tested. The best procedures fail when nobody knows them or when the right people are no longer there. This is why the PCA must be subject to Regular simulationsd ‘crisis exercises at least once a year, and Systematic updates each change of provider, tool or organization.
The frequent error is to consider it as a compliance exercise. It is a strategic error. The PCA is a management toola continuity insuranceA trusted lever. It makes it possible to act quickly, to limit losses, to reassure customers, to avoid rushed decisions under stress. It is especially, in the event of a crisis, the only straight line in an environment that has become chaotic.
A maturity revealer
In some sectors, the PCA is compulsory. In others, it remains perceived as an overlay. But reality requires a change of look. Faced with the multiplication of cyberrenchers, the increase in technological interdependencies, the increasing pressure of customers on reliability, Having a well -designed PCA has become a maturity indicator. If he does not guarantee that there will be no crisis, he guarantees that we will face it.
The activity continuity plan, compulsory in certain sectors, essential for all
The implementation of an activity continuity plan (PCA) is not imposed by law on all companies. But in the critical sectors – finance, health, energy, telecoms – it constitutes a regulatory requirement. The PCA helps maintain the essential functions of an organization in the event of a major incident: cyber attack, breakdown, natural disaster, etc.
Even without formal obligation, more and more private players use it, driven by customer expectations, public tenders or cybersecurity requirements. In a context of increasing dependence on digital systems, continuity becomes a criterion of trust.
Table of PCA bonds by sector
| Sector | Compulsory PCA | Regulatory references / Authorities |
|---|---|---|
| Bank / Finance | ✅ Yes | ACPR, Basel III, LCB-FT |
| Insurance | ✅ Yes | ACPR |
| Health | ✅ Yes | GDPR, HDS, IS SAFETY Safety doctrine (years) |
| Telecoms | ✅ Yes | Arcep, bonds of continuity of service |
| Energy / transport | ✅ Yes | Military programming law, IOV status (ANSSI) |
| Sectors subject to NIS2 | ✅ Yes (from 2025) | European Cybersecurity Directive (NIS2) |
| Administrations | ✅ Yes | General security frame of reference (RGS), continuity plan if |
| SMEs / other sectors | ❌ No (but recommended) | ISO 22301 standards, customer requirements, tenders |
