Version: 1.0 | Effective from: 1 January 2026
1. Purpose
This directive defines the rules for cybersecurity management in compliance with NIS2 and the Cybersecurity Act.
2. Scope
This directive applies to:
- All information systems
- All employees and contractors
- All vendors with system access
- Physical security of ICT
3.1 ISMS Structure
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape .label rect%2c%23mermaid-0 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-0_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M138%2c158L138%2c162.167C138%2c166.333%2c138%2c174.667%2c138%2c182.333C138%2c190%2c138%2c197%2c138%2c200.5L138%2c204' id='L_GOV_RISK_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_GOV_RISK_0' data-points='W3sieCI6MTM4LCJ5IjoxNTh9LHsieCI6MTM4LCJ5IjoxODN9LHsieCI6MTM4LCJ5IjoyMDh9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c358L138%2c362.167C138%2c366.333%2c138%2c374.667%2c138%2c382.333C138%2c390%2c138%2c397%2c138%2c400.5L138%2c404' id='L_RISK_CTRL_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_RISK_CTRL_0' data-points='W3sieCI6MTM4LCJ5IjozNTh9LHsieCI6MTM4LCJ5IjozODN9LHsieCI6MTM4LCJ5Ijo0MDh9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c510L138%2c514.167C138%2c518.333%2c138%2c526.667%2c138%2c534.333C138%2c542%2c138%2c549%2c138%2c552.5L138%2c556' id='L_CTRL_OPS_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_CTRL_OPS_0' data-points='W3sieCI6MTM4LCJ5Ijo1MTB9LHsieCI6MTM4LCJ5Ijo1MzV9LHsieCI6MTM4LCJ5Ijo1NjB9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c710L138%2c714.167C138%2c718.333%2c138%2c726.667%2c138%2c734.333C138%2c742%2c138%2c749%2c138%2c752.5L138%2c756' id='L_OPS_ASS_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_OPS_ASS_0' data-points='W3sieCI6MTM4LCJ5Ijo3MTB9LHsieCI6MTM4LCJ5Ijo3MzV9LHsieCI6MTM4LCJ5Ijo3NjB9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_GOV_RISK_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_RISK_CTRL_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_CTRL_OPS_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_OPS_ASS_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-GOV-0' transform='translate(138%2c 83)'%3e%3crect class='basic label-container' style='' x='-130' y='-75' width='260' height='150'/%3e%3cg class='label' style='' transform='translate(-100%2c -60)'%3e%3crect/%3e%3cforeignObject width='200' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eGOVERNANCE%3cbr /%3eSecurity Policy %7c Risk Management Framework%3cbr /%3eRoles %26amp%3b Responsibilities %7c Compliance Management%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-RISK-2' transform='translate(138%2c 283)'%3e%3crect class='basic label-container' style='' x='-130' y='-75' width='260' height='150'/%3e%3cg class='label' style='' transform='translate(-100%2c -60)'%3e%3crect/%3e%3cforeignObject width='200' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eRISK MANAGEMENT%3cbr /%3eAsset Inventory %7c Risk Assessment%3cbr /%3eRisk Treatment Plan %7c Risk Monitoring%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-CTRL-4' transform='translate(138%2c 459)'%3e%3crect class='basic label-container' style='' x='-121.4609375' y='-51' width='242.921875' height='102'/%3e%3cg class='label' style='' transform='translate(-91.4609375%2c -36)'%3e%3crect/%3e%3cforeignObject width='182.921875' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eCONTROLS%3cbr /%3eTechnical %7c Organizational%3cbr /%3ePhysical %7c Legal%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-OPS-6' transform='translate(138%2c 635)'%3e%3crect class='basic label-container' style='' x='-130' y='-75' width='260' height='150'/%3e%3cg class='label' style='' transform='translate(-100%2c -60)'%3e%3crect/%3e%3cforeignObject width='200' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eOPERATIONS%3cbr /%3eIncident Management %7c Business Continuity%3cbr /%3eChange Management %7c Vulnerability Management%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-ASS-8' transform='translate(138%2c 835)'%3e%3crect class='basic label-container' style='' x='-130' y='-75' width='260' height='150'/%3e%3cg class='label' style='' transform='translate(-100%2c -60)'%3e%3crect/%3e%3cforeignObject width='200' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eASSURANCE%3cbr /%3eInternal Audit %7c External Audit%3cbr /%3ePenetration Testing %7c Compliance Review%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
4. Asset Management
4.1 Asset Inventory
Every asset must be documented:
| Field | Description |
|---|
| Asset ID | Unique identifier |
| Name | Descriptive name |
| Type | Hardware / Software / Data / Service |
| Responsible person | Who is responsible |
| Criticality | Critical / High / Medium / Low |
| Location | Physical/logical location |
| Classification | Confidential / Internal / Public |
4.2 Asset Criticality
| Level | Definition | RTO | RPO |
|---|
| Critical | Outage = business stop | <4h | <1h |
| High | Significant business impact | <8h | <4h |
| Medium | Limited impact | <24h | <8h |
| Low | Minimal impact | <72h | <24h |
5. Technical Controls
5.1 Mandatory controls
| Control | Requirement | Status |
|---|
| Encryption at rest | AES-256 for all data | Required |
| Encryption in transit | TLS 1.3 for all APIs | Required |
| Access Control | MFA + RBAC | Required |
| Patch Management | Critical <7 days, High <30 days | Required |
| Logging | Centralized SIEM, 1-year retention | Required |
| Backup | Daily, tested monthly | Required |
| Firewall | Perimeter + internal | Required |
| Antimalware | Endpoint protection | Required |
| IDS/IPS | Network intrusion detection | Recommended |
| DLP | Data Loss Prevention | Recommended |
5.2 Encryption Standards
| Type | Algorithm | Key Length |
|---|
| Symmetric | AES | 256-bit |
| Asymmetric | RSA | 4096-bit |
| Hashing | SHA | 256-bit+ |
| TLS | 1.3 | N/A |
5.3 Access Control
Access Control Principles:
- Least Privilege — minimum necessary permissions
- Need-to-Know — access only to required data
- Separation of Duties — division of responsibilities
- MFA — for all admin accounts
- Regular Review — quarterly access audit
6. Organizational Controls
6.1 HR Security
| Phase | Control |
|---|
| Pre-employment | Background check (depending on position) |
| Onboarding | NDA, Security training, Policy acknowledgment |
| During employment | Regular training, Access reviews |
| Offboarding | Access removal (24h), Device return, Exit interview |
6.2 Training Requirements
| Role | Training | Frequency |
|---|
| All employees | Security awareness | Annually |
| All employees | Phishing simulation | Quarterly |
| IT staff | Technical security | Semi-annually |
| Developers | Secure coding | Semi-annually |
| Management | Security governance | Annually |
7. Physical Security
7.1 Security zones
| Zone | Description | Access |
|---|
| Public | Reception, lobby | Unrestricted |
| Office | Offices | Badge + PIN |
| Restricted | Server room, DC | Badge + PIN + biometrics |
| Highly Restricted | HSM, key storage | Dual control |
7.2 Data Center Security
8. Vulnerability Management
8.1 Scanning Schedule
| Type | Frequency | Scope |
|---|
| Network scan | Weekly | All subnets |
| Vulnerability scan | Monthly | All systems |
| Web app scan | Monthly | All web apps |
| Penetration test | Annually | Full scope |
8.2 Patch Management SLA
| Severity | SLA | Approval |
|---|
| Critical | 7 days | Emergency change |
| High | 30 days | Standard change |
| Medium | 90 days | Standard change |
| Low | Next release | Standard change |
9. Business Continuity
9.1 BCM Components
| Component | Description |
|---|
| BIA | Business Impact Analysis |
| BCP | Business Continuity Plan |
| DRP | Disaster Recovery Plan |
| IRP | Incident Response Plan |
| CMP | Crisis Management Plan |
9.2 Recovery Objectives
| System | RTO | RPO |
|---|
| Production DB | 4h | 1h |
| Web services | 2h | 1h |
| Email | 8h | 4h |
| Internal apps | 24h | 8h |
9.3 Testing Schedule
| Test | Frequency |
|---|
| Backup restoration | Monthly |
| Failover test | Quarterly |
| DR drill | Semi-annually |
| Full BCP test | Annually |
10. Vendor Security
10.1 Vendor Assessment
Before onboarding a vendor with data access:
10.2 Ongoing Monitoring
| Activity | Frequency |
|---|
| Security review | Annually |
| Access audit | Quarterly |
| Incident review | On incident |
| Contract review | On renewal |
11. Audit & Compliance
11.1 Audit Schedule
| Type | Frequency | Scope |
|---|
| Internal audit | Quarterly | Rotating areas |
| External audit | Annually | Full ISMS |
| Compliance check | Semi-annually | NIS2, GDPR |
| Penetration test | Annually | Full scope |
11.2 Certifications
| Certification | Status | Validity |
|---|
| ISO 27001 | Target | Q3 2026 |
| SOC 2 Type II | Optional | — |
12. Metrics & KPIs
| KPI | Target | Measurement |
|---|
| Patch compliance | >95% | Monthly |
| Vulnerability remediation | <30 days (high) | Monthly |
| Security training completion | 100% | Quarterly |
| Incident response time | <4h (critical) | On incident |
| MFA adoption | 100% (admin) | Monthly |
13. Policy Review
- Monthly: Security metrics review
- Quarterly: Policy effectiveness review
- Annually: Full policy review + CISO approval
Next review: Q2 2026