Art. 18 Physical and environmental security | RTS on ICT risk management framework | DORA

This article requires financial entities to put in place a physical and environmental security policy as part of their broader data safeguards.

The policy must be designed with the cyber threat landscape and the ICT risk assessment in mind, and it covers the protection of physical spaces — premises, data centres, and sensitive designated areas — as well as the ICT and information assets that reside within them.

Notably, the article explicitly links to Article 21 on access management rights, meaning the two policies must be read together.

The scope extends beyond the office walls, requiring security measures for ICT assets located outside the financial entity's premises as well.

Important points:

Specify, document, and implement a physical and environmental security policy that accounts for the cyber threat landscape and ICT risk assessment results.
The policy must cover protection of physical locations and assets from attacks, accidents, and environmental threats, with protections scaled to the criticality of the operations or ICT systems located therein.
Include practical data protection measures such as a clear desk policy for papers and a clear screen policy for information processing facilities.

1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets.
1. The physical and environmental security policy referred to in paragraph 1 shall contain all of the following:
  1. a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g);
  2. measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside;
  3. measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets;
  4. measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance;
  5. measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including:
    a clear desk policy for papers;
    a clear screen policy for information processing facilities.
2. For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein.
3. For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets.