Art. 29 Information security policy and measures | RTS on ICT risk management framework | DORA

1. The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entitiesas defined in Article 2, points (a) to (t) provide.
1. Based on their information security policy referred to in paragraph 1, the financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, including mitigating measures implemented by ICT third-party service providers means an undertaking providing ICT services;.
2. The ICT security measures shall include all of the measures referred to in Articles 30 to 38.