Minimum and Advanced Cybersecurity Controls in the Supply Chain

The minimum and advanced cybersecurity controls in the supply chain shall apply to the procurement of relevant ICT product, ICT services and ICT processes.

The minimum and advanced cybersecurity controls of the supply chain will apply to procurement processes in the entities identified as critical-impact and high-impact entities pursuant to NCCS Article 24 that starts six months after the adoption or update of the minimum and advanced cybersecurity controls referred to in NCCS Article 29 (NCCS Article 33 Paragraph 5).

Within six months of the completion of the regional cybersecurity risk assessment reports, as required by (NCCS Article 21 Paragraph 2), transmission system operators (TSOs), in collaboration with ENTSO-E for the electricity market and the EU DSO, will propose modifications to the supply chain’s minimum and advanced cybersecurity controls to the competent authority.

This proposal will be prepared in accordance with NCCS Article 8 Paragraph 10 and will consider the risks identified in the regional risk assessment that affect the procurement processes of entities identified as critical-impact and high-impact under NCCS Article 24 (NCCS Article 33 Paragraph 6).

During the cybersecurity risk management phase, each high and critical entity must establish an entity-wide risk mitigation plan for all assets within their high-impact and critical-impact perimeters and conduct a risk assessment every three years (NCCS Article 26).

During the cybersecurity risk assessment phase, each high-impact and critical-impact entity must identify potential cybersecurity risks:

kiberbiz
Click on the image to zoom in