| Abstract [eng] |
This master’s thesis examines the application of the requirements of the TIS2 Directive to the assessment of organizations’ cybersecurity. It addresses the problem of how to transform the complex legal and methodological requirements of TIS2 into a practical self-assessment tool that matches the resources of small and medium-sized organizations, and the aim of the thesis is to design an information system which, based on the TIS2 Directive and the legal acts implementing it, enables the identification of an organization’s cybersecurity status, the assessment of its compliance with TIS2 requirements and, on the basis of the assessment results, provides a detailed implementation plan for remediating identified gaps. The following methods were applied in the thesis: comparative analysis of TIS2, NIST CSF 2.0, ISO/IEC 27001 and DORA, analysis of scientific literature and legal acts, analysis of ENISA best practices, technical documentation of tools and other secondary sources, as well as software requirements engineering and software design methods. Based on the results of the analysis, an adaptive TIS2 compliance assessment methodology was developed, covering the determination of the entity’s cybersecurity status, a questionnaire based on a deconstruction of the TIS2 requirements, and a remediation implementation plan built on the principle of a work breakdown structure. In the practical part, a minimum viable product (MVP)-level TIS2 assessment tool was created – a client-side single-page React application implementing the developed theoretical methodologies. The testing results showed that the created MVP meets the formulated functional and non-functional requirements. The limitations of the thesis are determined by the dynamic evolution of the legal acts and the absence of empirical testing in real organizations; nevertheless, the aim has been achieved – a methodologically grounded concept and technically implemented TIS2 compliance assessment information system has been created, which is relevant for organizations’ preparedness to implement cybersecurity requirements, and a basis has been laid for further empirical research on the practical application of cybersecurity compliance assessment and for the development of the concept, including integration with data from third-party cybersecurity solutions used in organizations and the use of the tool as an auditing instrument for external auditors. |
