(3) Routine system maintenance. Each owner or operator or a designated CySO of a vessel, facility, or OCS facility must ensure the following measures for routine system maintenance are in place and documented in Section 6 of the Cybersecurity Plan: 

(i) Ensure patching or implementation of documented compensating controls for all KEVs in critical IT or OT systems, without delay; 

(ii) Maintain a method to receive and act on publicly submitted vulnerabilities; 

(iii) Maintain a method to share threat and vulnerability information with external stakeholders; 

(iv) Ensure there are no exploitable channels directly exposed to internet-accessible systems; 

(v) Ensure no OT is connected to the publicly accessible internet unless explicitly required for operation, and verify that, for any remotely accessible OT system, there is a documented justification; and 

(vi) Conduct vulnerability scans as specified in the Cybersecurity Plan.

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database.