In the final chapter, we summarize the most important tasks of high-impact and critical impact entities:
Appoints a Single Point of Contact (SPOC) (NCCS Article 38 Paragraph 1);
Every three years, entity level cybersecurity risk management is conducted for all assets within the high-impact and critical impact perimeters (NCCS Article 26, NCCS Article 27);
Keeps an inventory of assets in the Asset Inventory. The asset inventory is not part of the risk assessment report (NCCS Article 26);
Every three years, submits a report to the competent authority, which includes the following information (NCCS Article 27):
List of controls, along with the current implementation status of each control;
Estimation of the risks related to the confidentiality, integrity, and availability of information and relevant assets for all union-level, high-impact, or critical impact processes;
List of critical ICT service providers based on their critical impact processes.
Establishes a cybersecurity management system (NCCS Article 32);
Demonstrates compliance with the cybersecurity management system and the minimum or advanced cybersecurity controls (only critical impact entity) (NCCS Article 25);
Applies minimum and advanced controls in the supply chain (Article 33);
Establishes CSOC capabilities (NCCS Article 38);
Reports information related to cyberattacks / cyber threats / unpatched, actively exploited vulnerabilities (NCCS Article 38);
| Topic | Deadline | Organizations Required to Report |
|---|---|---|
|
Cyberattack |
Within 4 hours |
CSIRT, Competent Authorithy
|
|
Unpatched, actively exploited vulnerability |
NIS 2 |
CSIRT
|
|
Cyberthreat |
Immediately |
CSIRT |
Develops and tests Cyber Attack Management Procedures (NCCS Article 39) and Crisis Management Plans at least every three years (NCCS Article 41);
Every three years, the -only - critical-impact entity conducts a cybersecurity exercise (NCCS Article 43).