Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Article 20 Identity management

    1. As part of their control of access management rights, financial entitiesas defined in Article 2, points (a) to (t) shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entitiesas defined in Article 2, points (a) to (t)’ information to enable assignment of user access rights in accordance with Article 21.

    1. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following:

      1. without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or staff of the ICT third-party service providers means an undertaking providing ICT services; accessing the information assets means a collection of information, either tangible or intangible, that is worth protecting; and ICT assets means a software or hardware asset in the network and information systems used by the financial entity; of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;;

      2. a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts.

    2. For the purposes of point (a), financial entitiesas defined in Article 2, points (a) to (t) shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law.

    3. For the purposes of point (b), financial entitiesas defined in Article 2, points (a) to (t) shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod