What form of internal rules are required to assure data security?

1. GDPR, Recitals 83, 85-87; Articles 32-34 2. NIS Directive, Recital 48; Articles 1-6, 16, 20 3. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), Recitals 1-9, 16-17, 19-22, 24, 74; Articles 1, 3-12, 38, 46, 49, 58. 4. Voigt and Von dem Bussche, pp. 38-43 5. Cybersecurity Strategy of the European Union