I would like a little clarification. Perhaps you provided it a little earlier, but I didn't hear it.
This concerns the directive in section 6.1.2 of the Directive on Recordkeeping. It states: “[...] documenting the risk profile of information resources, taking into consideration legal and regulatory risks [...].”
What do you mean by that? What are your criteria for determining the risk profile? What is the risk profile?