Audit according to NIS 2 and Act 69/2018 on KB

Audit goal

The audit serves to systematically assess the state of the organization's cyber security, including the identification of potential risks, the evaluation of established security measures and the control of compliance with legal requirements and regulations. This process is to ensure that organizations have effective risk management, data protection, incident response and incident recovery systems in place.

Who is audited?

According to NIS2 and Act 69/2018 Coll. on cyber security audit are subject to:

  • Essential service and Critical Service Providers of services (e.g. energy companies, water utilities, health service providers, banks and other entities that provide critical infrastructure services),
  • Digital service providers (online stores, online search engines and cloud computing services),
  • Other entities designated under this law.

Audit process:

  • 1. Audit preparation:

    • Preparation for the audit includes gathering the necessary documents and information that the auditor will use for the assessment. This includes internal policies, procedures, records of security measures and reports of previous incidents.

  • 2. Compliance assessment:

    • The auditor will examine whether the organization meets all the requirements of Law 69/2018, including the implementation of security measures, risk management, monitoring and response to incidents, and ensuring business continuity.

  • 3. Identification of risks and weaknesses:

    • During the audit, the auditor identifies potential risks and weaknesses in the organization's cybersecurity system, including technical, organizational, and personnel deficiencies.

  • 4. Audit report:

    • After the audit is completed, a report is drawn up that contains audit findings, identified deficiencies, recommendations for improvement, and an assessment of the organization's overall level of cyber security.

  • 5. Corrective measures:

    • Based on the results of the audit, the organization is obliged to take corrective measures to eliminate the identified deficiencies and to improve the overall level of cyber security.

The importance of auditing

An audit under NIS2 is transposed into Law 69/2018 on Cyber Security is essential to ensure that organizations have implemented adequate and effective security measures to protect against cyber threats. It also helps organizations identify weaknesses in their security measures and improve their protection and incident response systems. Compliance with this law is critical to protecting sensitive data, ensuring the continued provision of essential services, and protecting national security.

I am interested in Audit according to NIS 2 and Act 69/2018 on KB