Business Continuity Testing Platform

🛡 Purpose-built for NIS2 · DORA · GDPR

Prove your resilience.
Test your compliance.

Run professional tabletop exercises that simulate real cyber and operational crises - and generate the compliance evidence your auditors actually need.

Start your first exercise → See how it works

No software to install

Works in any browser

Real-time participant responses

Instant compliance report

What you get

Everything you need to run a professional exercise

From pre-built scenarios to real-time response collection to a compliance-mapped report - all in one place.

📋

Expert-built Scenarios

Three difficulty levels (basic, intermediate, advanced) across NIS2, DORA, and GDPR - from DDoS attacks to ransomware, GDPR breaches to supervisory authority investigations.

⚡

Live Exercise Runner

Real-time WebSocket interface. Trigger injects, watch participant responses appear instantly, score quality, and tick off expected actions - all from a single screen.

📊

Compliance-mapped Reports

Each exercise automatically generates a gap analysis report mapped to specific NIS2, DORA, and GDPR articles - exactly what auditors and regulators look for.

👥

No Accounts for Participants

Share a link - participants join instantly by name only. No registration, no app. Works for in-person tabletops and remote sessions over Teams or Zoom.

✎

Custom Scenario Builder

Create your own scenarios tailored to your organisation's specific risks, sector, or regulatory context. Add as many injects as you need.

🔒

Private by Default

Your exercises, responses, and reports are private to your account. Nobody else can see your data. Exercises are fully isolated per facilitator.

The platform

Everything in one place

From selecting a scenario to downloading your compliance report — the full workflow in a single browser tab.

bcptesting.com / dashboard

Dashboard — exercise overview and compliance coverage

Dashboard — see all your exercises at a glance, track compliance coverage across NIS2, DORA and GDPR, and start a new exercise in one click.

Scenario Library — browse 20+ expert-built crisis scenarios across three difficulty levels, each mapped to specific regulation articles.

Live Exercise Runner — trigger injects in sequence, watch participant responses arrive in real-time, score quality, and tick off expected actions as they are observed.

Participant View — participants join instantly via a shared link with no account needed. They see the active inject and submit their responses in real-time from any browser.

After-Action Report — automatic gap analysis mapped to NIS2, DORA and GDPR articles, with participant responses, scores, and facilitator notes — ready to share with auditors.

PDF Export — download a fully formatted compliance report as a PDF, ready to hand to auditors, regulators, or management with no additional formatting required.

How it works

From setup to compliance report in under 2 hours

Four simple steps from start to evidence.

Pick a Scenario

Choose from a library of pre-built scenarios or create your own. Review injects and expected actions before you start.

Share the Link

Participants join by clicking a link - no accounts needed. Works in-person or remotely over any video conferencing tool.

Run the Exercise

Trigger injects one by one, watch responses in real-time, score quality, and tick off expected actions as they're observed.

Get the Report

Automatic compliance gap analysis mapped to NIS2, DORA, and GDPR articles. Ready to share with auditors and management.

Scenario Library

Real crisis scenarios, mapped to real regulations

Every scenario includes escalating injects, expected actions, facilitator hints, and direct compliance article mappings.

NIS2DORAAdvanced

Ransomware Attack

Critical systems encrypted mid-business-day. Backup compromise, media enquiry, regulatory notification deadline, partial recovery.

⏱ 120 min💉 6 injects📚 NIS2 Art.20, 21, 23 · DORA Art.11, 12, 17

Advanced

Cross-Border Data Breach

380,000 customer records across 7 EU member states. Lead supervisory authority, concerned DPAs, €18M fine assessment.

⏱ 120 min💉 6 injects📚 GDPR Art.32, 33, 34, 58, 83

DORAIntermediate

Core Banking System Failure

End-of-day batch fails due to vendor patch interaction. 150,000 accounts unreconciled, DORA major incident notification required.

⏱ 90 min💉 6 injects📚 DORA Art.11, 12, 13, 17

NIS2Advanced

APT Infiltration

Nation-state actor present for 8 months. CEO email, M&A documents, source code accessed. Eradication, attribution, governance response.

⏱ 120 min💉 6 injects📚 NIS2 Art.20, 21, 23, 32

… and many more across basic, intermediate, and advanced difficulties for NIS2, DORA, and GDPR.

Regulatory coverage

Built around the regulations that matter

Every scenario inject maps to specific articles. The report shows exactly which obligations you tested and where the gaps are.

🇪🇺

NIS2 Directive

Test your incident handling, governance, supply chain security, and reporting obligations against the NIS2 requirements for essential and important entities.

Art. 20 - Governance
Art. 21 - Risk-management measures
Art. 23 - Reporting obligations
Art. 32 - Enforcement measures

🏦

DORA Regulation

Validate your ICT business continuity, incident response, third-party risk management, and post-incident review capabilities against DORA requirements.

Art. 11 - ICT business continuity
Art. 12 - Response and recovery
Art. 13 - Learning and evolving
Art. 17 - Incident management
Art. 28 - Third-party risk

🔐

GDPR

Practice your breach response workflows: 72-hour notification, individual communication decisions, processor obligations, and supervisory authority interactions.

Art. 22 - Automated decisions
Art. 28 - Processor obligations
Art. 32 - Security of processing
Art. 33 - SA notification (72hr)
Art. 34 - Individual notification
Art. 83 - Administrative fines

Simple pricing

Two plans. Full access either way.

No per-exercise fees, no seat limits, no surprises. Every plan includes the full platform.

✦ Most popular

Yearly

^€49

per year · renews automatically · cancel anytime

Unlimited exercises
Full expert-built scenario library
Custom scenario builder
Real-time exercise runner
Compliance-mapped reports
NIS2, DORA & GDPR coverage
Private, per-account data

Get started →

Cancel anytime · Billed annually

Lifetime

^€99

one-time · no renewals · yours forever

Unlimited exercises
Full expert-built scenario library
Custom scenario builder
Real-time exercise runner
Compliance-mapped reports
NIS2, DORA & GDPR coverage
Private, per-account data

Get started →

Pay once · No recurring charges

Questions

Frequently asked

Do participants need to create accounts? ▼

No. Participants join by simply clicking a link and entering their name. No registration, no password, no app to install. This makes it easy to run exercises with colleagues who are not familiar with the platform.

Can I run remote exercises over Teams or Zoom? ▼

Yes. The exercise runner works in any browser. Share the exercise join link in your video conference chat, and participants can respond in real-time while you facilitate. The facilitator sees all responses live as they come in.

What does "one-time payment" mean? ▼

You pay once and have full access to all platform features forever - no subscriptions, no renewal fees, no per-exercise charges. The price you see is the only price you pay.

Can I create scenarios for my specific industry or risks? ▼

Yes. The custom scenario builder lets you create exercises with any number of injects, your own scenario text, expected actions, and compliance article mappings. Your custom scenarios are private to your account.

What regulations do the pre-built scenarios cover? ▼

The library covers NIS2, DORA, and GDPR at basic, intermediate, and advanced difficulty levels. Several scenarios are cross-regulation (e.g., ransomware tests both NIS2 and DORA). Each inject maps to specific articles in the regulation, so the compliance report is precise.

Is my exercise data private? ▼

Yes. Your exercises, participant responses, and reports are visible only to you. Each account is fully isolated - other users cannot access your data.

Prove your resilience.Test your compliance.