Source: OJ L, 2024/1774, 25.6.2024

Current language: EN

Article 29 Information security policy and measures

Summary What does Article 29 of the RTS on ICT risk management framework say?

This article applies specifically to the smaller financial entities subject to the simplified ICT risk management framework under Article 16(1) of DORA.

It requires those entities to establish an information security policy as the foundation for their ICT security posture, from which concrete security measures must then flow.

The article acts as a gateway provision, anchoring the simplified framework by directing financial entities to the detailed security measures set out in Articles 30 to 38 of this regulation.

Important points:

  • Develop, document, and implement an information security policy covering the confidentiality, integrity, availability, and authenticity of data and services.
  • Use that policy as the basis for establishing and implementing ICT security measures, including those carried out by ICT third-party service providers.
  • The ICT security measures required must encompass all measures specified in Articles 30 to 38 of this regulation.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide.

    1. Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers.

    2. The ICT security measures shall include all of the measures referred to in Articles 30 to 38.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod