NIS2 Cybersecurity Policies
The following is a personal summary and translation of the required cybersecurity policies in article 21 of NIS2 - Directive (EU) 2022/2555.
The following policies are a minimum requirement for entities subject to NIS2.
Required Policies
- Risk analysis and information system security.
- Incident handling.
- Business continuity, such as backup management and disaster recovery, and crisis management.
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
- Basic cyber hygiene practices and cybersecurity training.
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
- Human resources security, access control policies and asset management.
- The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
References
Similar posts