6.1 Security in acquisition of ICT services or ICT products
6.1.1. For the purpose of Article 21(2), point (e) of Directive (EU) 2022/2555, the relevant entities shall set and implement processes and procedures to manage risks stemming from the acquisition of ICT services or ICT products for components that are critical for the relevant entities’ security of network and information systems, based on the risk assessment, from suppliers or service providers throughout their life cycle.
6.1.2. For the purpose of point 6.1.1., the processes and procedures referred to in point 6.1.1. shall include:
(a) security requirements to apply to the ICT services or ICT products to be acquired;
(b) requirements regarding security updates throughout the entire lifetime of the ICT services or ICT products, or replacement after the end of the support
period;
(c) information describing the hardware and software components used in the ICT services or ICT products;
(d) information describing the implemented cybersecurity functions of the ICT services or ICT products and the configuration required for their secure operation;
(e) assurance that the ICT services or ICT products comply with the security requirements according to point (a);
(f) appropriate methods for validating that the delivered ICT services or ICT products are compliant to the stated security requirements, as well as documentation of the results of the validation.
6.1.3. The relevant entities shall review and, where appropriate, update the processes and procedures at planned intervals and when significant incidents occur.
Navigieren Sie sicher durch die NIS2-Richtlinie!
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!