Organizations are required to assign responsibility for information security to a specific person, a dedicated team, or a committee. This designated individual or group will serve as the main point of contact and will handle all technical communication and coordination with supervisory authorities and the national Computer Security Incident Response Teams (CSIRTs).

If the responsibility is given to a team or committee rather than a single person, it is necessary to appoint one individual as the official representative. Additionally, a backup person should be assigned to take over these duties whenever the primary representative is unavailable due to absence, vacancy, or illness. This ensures that there is always someone accountable and able to respond promptly to security matters.

The organization must inform the relevant supervisory authorities when they appoint an Information Security Officer. This notification must be made within three months after the appointment is made. If there are any later changes, such as a new appointment or the termination (resignation, dismissal, etc.) of the current Information Security Officer, these changes must be reported within one month of when they happen.

The organization shall ensure that the information security officer has the necessary resources (e.g., budget, personnel, tools, time) to effectively carry out their duties. The officer's position within the organization should facilitate their work, ensuring appropriate participation in all relevant security matters. Furthermore, a direct and effective communication channel with the board of directors or top management should be established and maintained to ensure strategic alignment and oversight of cyber security. The information security officer should also operate with due independence from those responsible for the technical implementation and management of networks and information systems, avoiding conflicts of interest.