7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

6.2 Secure development life cycle

6.2.1. The relevant entities shall lay down, implement and apply rules for the secure development of network and information systems, including software, and apply them when acquiring or developing network and information systems. The rules shall cover all development phases, including specification, design, development, implementation and testing.

6.2.2. The relevant entities shall:

(a) carry out an analysis of security requirements at the specification and design phases of any development or acquisition project undertaken by the relevant
entities or on behalf of those entities;
(b) apply principles for engineering secure systems and secure coding principles to any information system development activities such as promoting cybersecurity-by-design, zero trust architectures;
(c) lay down security requirements regarding development environments;
(d) establish and implement security testing processes in the development life cycle;
(e) appropriately select, protect and manage security test information;
(f) sanitise and anonymise testing data according to the risk assessment.

6.2.3. For outsourced development and procurement of network and information systems, the relevant entities shall apply the policies and procedures referred to in points 5 and 6.1.

6.2.4. The relevant entities shall review and, where appropriate, update their secure development rules at planned intervals.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!