Source: OJ L, 2024/1774, 25.6.2024Current language: EN
- Digital operational resilience in the financial sector
ICT risk management
- RTS on ICT risk management framework
Article 35 Data, system and network security
Summary What does Article 35 of the RTS on ICT risk management framework say?
This article applies specifically to the financial entities subject to the simplified ICT risk management framework under Article 16(1) of DORA.
It sets out a range of practical data and network security safeguards that these entities must develop and implement.
The measures span the full data lifecycle — from protection while data is in use, in transit, and at rest, through to secure deletion and disposal of storage devices when data is no longer needed.
The article also addresses the security of endpoint devices and teleworking arrangements, reflecting the realities of modern working environments.
Important points:
- Implement safeguards covering data protection across all states — in use, in transit, and at rest — and secure network traffic against unauthorised connections.
- Establish processes for the secure deletion of data and the secure disposal or decommissioning of data storage devices containing confidential information.
- Ensure that teleworking and the use of private endpoint devices do not adversely impact the ability to carry out critical activities in an adequate, timely, and secure manner.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The financial entities referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entities shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following:
the identification and implementation of measures to protect data in use, in transit, and at rest;
the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity;
the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity’s network, and to secure the network traffic between the financial entity’s internal networks and the internet and other external connections;
the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions;
a process to securely delete data on premises, or that are stored externally, that the financial entity no longer needs to collect or store;
a process to securely dispose of, or decommission, data storage devices on premises, or data storage devices that are stored externally, that contain confidential information;
the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity’s ability to carry out its critical activities in an adequate, timely, and secure manner.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.