The organization must establish, implement, and maintain security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems. Specifically, the organization must:
- Identify the applicable technical specifications and ICT technical specifications as defined under Article 2, points (4) and (5), of Regulation (EU) No 1025/2012. This involves recognizing relevant European standards and technical frameworks that govern ICT systems and ensuring alignment with them.
- Determine detailed requirements for the secure acquisition, development, and maintenance of ICT systems.
- Place particular focus on ICT security requirements, such as secure coding practices, secure design principles, risk assessments, and security testing procedures.
- Ensure that all such requirements are reviewed and formally approved by the relevant business function and ICT asset owner, following the organization’s internal governance processes.
Acquisition process must also specify and enforce measures designed to mitigate the risk of:
- Unintentional alteration of ICT systems (e.g., through errors, software bugs, or misconfigurations),
- Intentional manipulation (e.g., through cyberattacks, insider threats, or unauthorized changes).
Measures may include version control, access management, change control processes, code reviews, integrity monitoring, and the use of cryptographic protections.
