Organizations must meet the following requirements, among others:
- Risk management & technical/organizational measures (TOM)
- Obligation to report security incidents (within 24h/72h)
- Enforcement of internal security guidelines & training
- Supply chain and service provider management
Obligation to provide evidence & official controls