The organization shall appoint a qualified auditor for the verification of its cybersecurity risk management measures. The auditor shall meet the necessary qualification requirements as defined by the relevant regulations.
To be considered qualified, the auditor must provide documented evidence of one or more of the following:
possession of documentation confirming a background verification issued by the competent authority in accordance with Directive (EU) 2022/2557;
possession of a valid European and/or international cybersecurity certification or standard;demonstrated experience and skill set as defined by the CIP Department.
For essential entities, the auditor must meet all three requirements.
The organization shall ensure that the auditor's appointment is approved by the CIP Department or, where applicable, the designated competent authority. The appointment can only be made after the auditor has submitted a motivated request and supporting documents to the approving authority and official approval has been granted.
The audit shall confirm that the organization's cybersecurity risk management measures comply with the applicable legal, regulatory, and technical standards.
