Application of Directive    5/7

 

In the event that the protection requirements are assigned to security level "low to medium", the measures of basic IT security are generally adequate.  In all other cases, however, if the IT process is assigned to the security levels "high" or "very high", a process-specific risk analysis is required.  In the diagram, processes requiring such risk analysis are marked in red.