Information Security

How to protect data in CRM from the point of view of the law and not only?

It is planned to create a CRM for printing contracts, recording the history of customer requests, collecting statistics on their sales, etc. according to the Saas model.
I re-read a bunch of articles on Habré about FSTEC, PD protection, but I still didn’t understand if there are specific legislative requirements for such CRM?
Planned:
PHP +Mysql on VDS On Centos
- SSL certificate. I read somewhere that it is needed according to GOST, and it is from 30 k per year, is it true?))
- access rights differentiation inside CRM
- authorization by login and password
- after three unsuccessful attempts to enter a password, the next attempt is limited to 15 minutes User IP
- logs of actions of each user
- a separate organization has its own Mysql database
Do you need a notification to Roskomnadzor? Getting some licenses?
By the way, I didn’t find any information on protection on the websites of industry systems in accordance with the requirements of the FSTEC and the FSB, and I didn’t find it on the same AmoCRM. Finally, is it required or not? And what other safety points to consider?