6.7 Network security
6.7.1. The relevant entities shall take the appropriate measures to protect their network and information systems from cyber threats.
6.7.2. For the purpose of point 6.7.1., the relevant entities shall
(a) document the architecture of the network in a comprehensible and up to date manner;
(b) determine and apply controls to protect the relevant entities’ internal network domains from unauthorised access;
(c) configure controls to prevent accesses not required for the operation of the relevant entities;
(d) determine and apply controls for remote access to network and information systems, including access by service providers;
(e) not use systems used for administration of the security policy implementation for other purposes;
(f) explicitly forbid or deactivate unneeded connections and services;
(g) where appropriate, exclusively allow access to the relevant entities’ network and information systems by devices authorised by those entities;
(h) allow connections of service providers only after an authorisation request and for a set time period, such as the duration of a maintenance operation;
(i) establish communication between distinct systems only through trusted channels that are isolated using logical, cryptographic or physical separation from other communication channels and provide assured identification of their end points and protection of the channel data from modification or disclosure;
(j) adopt an implementation plan for the secure and full transition towards latest generation network layer communication protocols to reduce the attack surface of the networks and establish measures to accelerate such transition;
(k) adopt an implementation plan for the deployment of internationally agreed and interoperable modern e-mail communications standards to secure e-mail communications to mitigate vulnerabilities linked to e-mail-related threats and establish measures to accelerate such deployment;
(l) apply best practices for Internet routing security and routing hygiene of traffic originating from and destined to the network.
6.7.3. The relevant entities shall review and, where appropriate, update these measures at planned intervals and when significant incidents or significant changes to operations
or risks occur.
Navigieren Sie sicher durch die NIS2-Richtlinie!
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!