Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Article 2 General elements of ICT security policies, procedures, protocols, and tools

    1. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework. Financial entitiesas defined in Article 2, points (a) to (t) shall establish the ICT security policies, procedures, protocols, and tools laid down in this Chapter that:

      1. ensure the security of networks;

      2. contain safeguards against intrusions and data misuse;

      3. preserve the availability, authenticity, integrity, and confidentiality of data, including via the use of cryptographic techniques;

      4. guarantee an accurate and prompt data transmission without major disruptions and undue delays.

    1. Financial entitiesas defined in Article 2, points (a) to (t) shall ensure that the ICT security policies referred to in paragraph 1:

      1. are aligned to the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s information security objectives included in the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; strategy referred to in Article 6(8) of Regulation (EU) 2022/2554;

      2. indicate the date of the formal approval of the ICT security policies by the management body means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (^31^), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law; Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) (OJ L 302, 17.11.2009, p. 32).;

      3. contain indicators and measures to:

        1. monitor the implementation of the ICT security policies, procedures, protocols, and tools;

        2. record exceptions from that implementation;

        3. ensure that the digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; is ensured in case of exceptions as referred to in point (ii);

      4. specify the responsibilities of staff at all levels to ensure the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;’s ICT security;

      5. specify the consequences of non-compliance by staff of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; with the ICT security policies, where provisions to that effect are not laid down in other policies of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

      6. list the documentation to be maintained;

      7. specify the segregation of duties arrangements in the context of the three lines of defence model or other internal risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management and control model, as applicable, to avoid conflicts of interest;

      8. consider leading practices and, where applicable, standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (^29^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). as defined in Article 2, point (1), of Regulation (EU) No 1025/2012;

      9. identify the roles and responsibilities for the development, implementation and maintenance of ICT security policies, procedures, protocols, and tools;

      10. are reviewed in accordance with Article 6(5) of Regulation (EU) 2022/2554;

      11. take into account material changes concerning the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, including material changes to the activities or processes of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, to the cyber threat means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881; landscape, or to applicable legal obligations.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod