7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

6.6 Security patch management

6.6.1. The relevant entities shall specify and apply procedures for ensuring that:

(a) security patches are applied within a reasonable time after they become
available;
(b) security patches are tested before being applied in production systems;
(c) security patches come from trusted sources and are checked for integrity;
(d) additional measures are implemented and residual risks are accepted in cases where a patch is not available or not applied pursuant to point 6.6.2.

6.6.2. By way of derogation from point 1(a), the relevant entities may choose not to apply security patches when the disadvantages of applying the security patches outweigh the cybersecurity benefits. The relevant entities shall duly document and substantiate the reasons for any such decision.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!