7. POLICIES AND PROCEDURES TO ASSESS THE EFFECTIVENESS OF CYBERSECURITY RISK-MANAGEMENT MEASURES
8. BASIC CYBER HYGIENE PRACTICES AND SECURITY TRAINING
9. CRYPTOGRAPHY

8.2 Security training

8.2.1. The relevant entities shall ensure that employees, whose roles require security relevant skill sets and expertise, receive training on network and information system security.

8.2.2. The relevant entities shall establish, implement and apply a training program in line with the network and information security policy, topic-specific policies and other relevant procedures on network and information security which lays down the training needs for certain roles and positions based on criteria.

8.2.3. The training referred to in point 8.2.1. shall be relevant to the job function of the employee and its effectiveness shall be assessed. Training shall take into consideration security measures in place and cover the following:

(a) regular and documented instructions regarding the secure configuration and operation of the network and information systems, including mobile devices;
(b) regular and documented briefing on known cyber threats;
(c) regular and documented training of the behaviour when security-relevant events occur.

8.2.4. The relevant entities shall apply training to staff members who transfer to new positions or roles which require security relevant skill sets and expertise.

8.2.5. The program shall be updated and run periodically taking into account applicable policies and rules, assigned roles, responsibilities, as well as known cyber threats and technological developments.

Stand: 27.06.2024

Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!