The operator of essential service is obliged to verify the efficiency of implemented security measures and the fulfilment of requirements by carrying out cybersecurity audit up to 2 years since the day of being registered in the essential services operators’ registry. The costs for audit shall bear the operator of essential services. The audit shall be carried out in the extend declared according to general binding regulation issued by the Authority with regard to information classification and networks and information systems category after every change with the significant impact on implemented security measures has been made and in certain time interval. The audit is carried out by the conformity assessment body which is accredited as the body competent to evaluate conformity in the cybersecurity area.
The operator of essential services is obliged to submit a final report on the results of the audit to the Authority together with the remedial measures and deadlines for their elimination within 30 days from the audit completion.
The authority may carry out the audit of the essential service operator anytime, or the Authority may request the conformity assessment body to carry out the audit with the aim to affirm the efficiency of implemented security measures and the fulfilment of the requirements according to the Act on cybersecurity. The costs on such an audit shall bear the Authority.