Governance model

Associated organisations
Management of associated organisations nominates each one representative
Operators of essential services
  • Banks
  • Healthcare
  • Energy
  • Transport
  • Financial market infrastructure
  • Digital infrastructure
  • Water supply
  • Public administration
One representative for each sector
Cyber Risk Management Board

Develops proposal for the CRR-Scheme and the Cyber Risk Label accordingly

Escalation instance in case of disputes regarding rating or label qualification

Evaluations after withdrawal of the rating / label

Yearly Report
Cyber Risk Advisory Board

Definition of requirements

Approval of CRR-Scheme and the Cyber Risk Label accordingly

Control instance

Scheme corrections on demand

powered by:

The governance of the cyber risk rating schemes lies in the hands of the Cyber Risk Advisory Board, which consists of leading cybersecurity experts from large Operators of essential Services from all sectors according to the NIS directive (banks, energy providers, healthcare providers, digital services, etc.). Additionally, there are representatives of the competent NIS authority in the Cyber Risk Advisory Board. Therefore it is not only guaranteed that the requirements of the Cyber Risk Rating are technically according to state of the art, but they also comply with the security requirements of large enterprises as well as the competent authorities.

The scheme is subject to an ongoing review and improvement, to reflect the ever changing requirements of the cybersecurity domain.