When the organisation acts as a provider of a central system, it should define the information security requirements that user organisations must meet as a condition of use. These requirements should be included in contracts or published on the organisation's website.
The requirements should aim to protect the central system and may cover areas such as access control, incident reporting, and system configuration for user organisations.
In order to verify that organisations using its central system comply with the specified security requirements the organisation should establish a review process. This process should define how audits of user organisations are conducted and how deficiencies are handled. If a user organisation fails to correct detected issues within a given deadline, the organisation must report the failure to the national cybersecurity authority.
.svg)
