Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 32 Physical and environmental security
Summary What does Article 32 of the RTS on ICT risk management framework say?
This article applies specifically to the financial entities subject to the simplified ICT risk management framework under Article 16(1) of DORA.
It sets out the requirement to put physical security measures in place, grounding those measures in the threat landscape and the asset classification work already done under Article 30(1).
In essence, it translates the risk picture into tangible protections for the physical spaces where ICT and information assets live, such as premises and data centres, guarding against unauthorised access, attacks, accidents, and environmental threats and hazards.
Important points:
- Identify and implement physical security measures based on the threat landscape and the asset classification established under Article 30(1) of this Regulation.
- Ensure those measures protect premises and, where applicable, data centres from unauthorised access, attacks, accidents, and environmental threats and hazards.
- The level of protection against environmental threats and hazards must be commensurate with the importance of the premises and the criticality of the operations or ICT systems located there.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk profile of ICT assets, and accessible information assets.
The measures referred to in paragraph 1 shall protect the premises of financial entities and, where applicable, data centres of financial entities where ICT assets and information assets reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards.
The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT asset
Definition
network and information system
Definition
information asset