7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

8.1 Awareness raising and basic cyber hygiene practices

8.1.1. For the purpose of Article 21(2), point (g) of Directive (EU) 2022/2555, the relevant entities shall ensure that their employees are aware of risks, are informed of the importance of cybersecurity and apply cyber hygiene practices.

8.1.2. The relevant entities shall offer to all employees, including members of management bodies, an awareness raising programme, which shall:

(a) be scheduled over time, so that the activities are repeated and cover new employees;
(b) be established in line with the network and information security policy, topicspecific policies and relevant procedures on network and information security;
(c) cover cybersecurity risk-management measures in place, contact points and resources for additional information and advice on cybersecurity matters, as well as cyber hygiene practices for users.

8.1.3. The awareness raising program shall be tested in terms of effectiveness, updated and offered at planned intervals taking into account changes in cyber hygiene practices, and the current threat landscape and risks posed to the relevant entities.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!