Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Article 18 Physical and environmental security

    1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entitiesas defined in Article 2, points (a) to (t) shall specify, document, and implement a physical and environmental security policy. Financial entitiesas defined in Article 2, points (a) to (t) shall design that policy i light of the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of ICT assets means a software or hardware asset in the network and information systems used by the financial entity; and accessible information assets means a collection of information, either tangible or intangible, that is worth protecting;.

    1. The physical and environmental security policy referred to in paragraph 1 shall contain all of the following:

      1. a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g);

      2. measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, and sensitive designated areas identified by the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, where ICT assets means a software or hardware asset in the network and information systems used by the financial entity; and information assets means a collection of information, either tangible or intangible, that is worth protecting; reside;

      3. measures to secure ICT assets means a software or hardware asset in the network and information systems used by the financial entity;, both within and outside the premises of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, taking into account the results of the ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; assessment related to the relevant ICT assets means a software or hardware asset in the network and information systems used by the financial entity;;

      4. measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets means a software or hardware asset in the network and information systems used by the financial entity;, information assets means a collection of information, either tangible or intangible, that is worth protecting;, and physical access control devices of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; through the appropriate maintenance;

      5. measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including:

        1. a clear desk policy for papers;

        2. a clear screen policy for information processing facilities.

    2. For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein.

    3. For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets means a software or hardware asset in the network and information systems used by the financial entity;.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod