ID.GV-3

Legal and regulatory requirements regarding cybersecurity are understood and managed

Identify · Governance

Manual Attestation

Compliance Score

55%

Partially Compliant

Documentation Maturity

3/ 5

Target: 2.5

Implementation Maturity

3/ 5

Target: 2.5

Control Description

The organization identifies and manages its legal, regulatory, and contractual cybersecurity obligations (NIS2, GDPR, sector-specific regulations).

Findings (1)

0/1 items compliant

Severity	Finding	Recommendation
medium	Improvement needed: Legal and regulatory requirements regarding cybersecurity are understood and managed Current implementation does not fully meet the requirements of ID.GV-3.	Create a register of applicable laws and regulations (NIS2, GDPR, sector requirements). Assign ownership for each requirement. Review compliance status quarterly. Engage legal counsel as needed.

Severity

Finding

medium

Improvement needed: Legal and regulatory requirements regarding cybersecurity are understood and managed

Current implementation does not fully meet the requirements of ID.GV-3.

Remediation Guidance

Create a register of applicable laws and regulations (NIS2, GDPR, sector requirements). Assign ownership for each requirement. Review compliance status quarterly. Engage legal counsel as needed.