Laws and regulations governing cybersecurity

Business Continuity Management (BCM) is a process based on identifying key elements (systems and processes) in an organisation and then setting up processes and procedures to ensure continuity or renewal of these elements, at a predefined level at which it will still be possible to perform basic tasks of the organisation.

In the case of business continuity management, a risk assessment and analysis of existing information and communication systems and services should be carried out and on the basis of the data thus obtained determined:

• the minimum level of services provided, which is acceptable for the use, operation and management of the information and communication system,
• the time of restoration of operation, during which the minimum level of provided information and communication system services will be restored after a cybersecurity incident,
• that data recovery point as the time period for which data must be recovered after a cybersecurity incident or failure.

The obligor also within the framework of business continuity management shall:

• set out the rights and obligations of administrators and persons holding security roles,
• assess and document possible impacts of cybersecurity incidents and assess possible risks related to threats to business continuity through risk assessment and impact analysis,
• set out a policy of business continuity management,
• develop, update and regularly test business continuity plans and emergency plans related to the operation of the information and communication system and related services,
• implement measures to increase the resilience of the information and communication system to cybersecurity incidents and restrictions on availability.