Manufacturing and distribution Processing and distribution of food products manufacturing industry digital service providers investigation all covered entities must comply with the same cybersecurity requirements. Although the supervisory approach varies depending on their category. For further details. Please how to create a culture of virtual collaboration articles 2. 3 and 4 and annexes i and ii of the decree-law. What are the nis2 requirements? The new decree-law introduces minimum cybersecurity requirements for all covered entities. With the aim of ensuring a uniform and robust approach to digital security (article 27). A) incident handling; b) business continuity. Such as backup management and disaster recovery. And crisis management; c) supply chain security. Including security aspects relating to the relationships between each entity and its suppliers or direct service providers; d) security in the acquisition.
Development and maintenance of information
Networks and systems. Including the treatment and disclosure of vulnerabilities; e) policies and sms marketing: complete guide for successful campaigns to assess the effectiveness of cybersecurity risk management measures; f) basic cyber hygiene practices and cybersecurity training. Including for heads of senior management bodies and employees; g) policies and procedures relating to the use of cryptography and. Where applicable. Encryption. Without prejudice to the powers conferred on other entities in the area of cryptography at national level or before other international organisations of which portugal is a member; h) human resources security. Policies followed regarding access control and asset management; i) use of multi-factor authentication or continuous authentication. Secure communications and secure emergency communications systems within the entity.
Mandatory notification (article 40) 1 – relevant essential Manufacturing and distribution
Important and public entities shall notify any significant incident to the competent cybersecurity authority. 2 – compliance with mere notification does not generate increased liability sg number the notifying entity. 3 – in order to determine whether an incident has a significant impact within the meaning of paragraph 1. The entities concerned must take into account. In particular. The following parameters: a) number of users affected by the service disruption; b) the duration of the incident; c) the level of severity of the disruption to the operation of the service; d) the extent of the impact on economic and social activities. Obligations of management. Direction and administration bodies (article 25) cybersecurity becomes a direct responsibility of the management bodies of the entities covered.
