The organization has identified the national and EU legislation governing ICT preparedness related to its operations and services, as well as other norms related to ICT preparedness.
Legislation and norms determine the minimum level for implementing ICT preparedness. In addition to this, the organization must take into account the needs arising from the special features of its own operations. Understanding the internal and external dependencies of operations is a basic requirement for cost-effective management of preparedness.