7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

4.3 Crisis management

4.3.1. The relevant entities shall put in place processes for crisis management.

4.3.2. The relevant entities shall ensure that crisis management processes address at least the following elements:

(a) roles and responsibilities for personnel, ensuring that all staff know their roles in crisis situations, including specific steps to follow;
(b) appropriate communication means between the relevant entities and relevant competent authorities;
(c) application of appropriate controls such as supporting systems, processes and additional capacity.
For the purpose of point (b), the flow of information between the relevant entities and relevant competent authorities shall include both obligatory communications, such as incident reports and related timelines, and nonobligatory communications.

4.3.3. The relevant entities shall implement a process for managing and making use of information received from the CSIRTs or, where applicable, the competent authorities, concerning incidents, vulnerabilities, threats or security controls.

4.3.4. The relevant entities shall test, review and, where appropriate, update the crisis management plan on a regular basis or following significant incidents or significant changes to operations or risks.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!