Source: OJ L, 2024/2690, 18.10.2024
ENRecital 20 Basic cyber hygiene and awareness training
Pursuant to Article 21(2), point (g), of Directive (EU) 2022/2555, Member States are to ensure that essential and important entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; apply basic cyber hygiene practices and cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; training. Basic cyber hygiene practices can include zero-trust principles, software means the part of an electronic information system which consists of computer code; updates, device configuration, network segmentation, identity and access management or user awareness, organise training for their staff and raise awareness concerning cyber threats means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;, phishing or social engineering techniques. Cyber hygiene practices are a part of different technical and methodological requirements of the cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management measures set out in the Annex to this Regulation. With regard to basic cyber hygiene practices for users, the relevant entities means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; should consider practices such as clear desk and screen policy, use of multi-factor and other authentication means, safe email use and web browsing, protection from phishing and social engineering, secure remote working practices.