7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

13.1 Supporting utilities

13.1.1. For the purpose of Article 21(2)(c) of Directive (EU) 2022/2555, the relevant entities shall prevent loss, damage or compromise of network and information systems or interruption to their operations due to the failure and disruption of supporting utilities.

13.1.2. For that purpose, the relevant entities shall:

(a) protect facilities from power failures and other disruptions caused by failures in supporting utilities such as electricity, telecommunications, water supply, gas, sewage, ventilation and air conditioning;
(b) where appropriate, consider the use of redundancy in utilities services;
(c) protect utility services for electricity and telecommunications, which transport data or supply network and information systems, against interception and damage;
(d) monitor the utility services referred to in point (c) and report to the competent internal or external personnel events outside the permissible control range referred to in point 13.2.2(b) affecting the utility services;
(e) where appropriate, conclude contracts for the emergency supply with corresponding services, such as for the fuel for emergency power supply;
(f) ensure continuous effectiveness, monitor, maintain and test the supply of the network and information systems necessary for the operation of the service offered, in particular the electricity, temperature and humidity control, telecommunications and Internet connection.

For the purpose of point (d), the relevant entities shall document, communicate and make available policies and instructions which describe the maintenance, in particular the remote maintenance, deletion, updating and reuse of assets that process information, including those in outsourced premises or by external personnel. The entities shall equip assets that process information with automatic fail-safes and other redundancies.

13.1.3. The relevant entities shall test, review and, where appropriate, update the protection measures on a regular basis or following significant incidents or significant changes to operations or risks.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!