Within 24 months of being notified by the competent authority that they have been identified as a high impact or critical impact entity in accordance with NCCS Article 24 Paragraph 6, each entity shall, in accordance with NCCS Article 32 Paragraph 1
(a) determine the scope of the cybersecurity management system considering interfaces and dependencies with other entities;
(b) ensure that all its senior management is informed of relevant legal obligations and actively contributes to the implementation of the cybersecurity management system through timely decisions and prompt reactions;
(c) ensure that the resources needed for the cybersecurity management system are available;
(d) establish a cybersecurity policy that shall be documented and communicated within the entity and to parties affected by the security risks;
(e) assign and communicate responsibilities for roles relevant to cybersecurity;
(f) perform cybersecurity risk management at entity level as defined in NCCS Article 26;
(g) determine and provide the resources required for the implementation, maintenance and continual improvement of the cybersecurity management system, taking into account the necessary competence and awareness of cybersecurity resources;
(h) determine the internal and external communication that is relevant to cybersecurity;
(i) create, update and control documented information related to the cybersecurity management system;
(j) evaluate the performance and effectiveness of the cybersecurity management system;
(k) conduct internal audits at planned intervals to ensure that the cybersecurity management system is effectively implemented and maintained;
(l) review the implementation of the cybersecurity management system at planned intervals; and control and correct non-compliance of the resources and activities with the policies, procedures, guidelines in the cybersecurity management system.