Art. 32 Physical and environmental security | RTS on ICT risk management framework | DORA

1. The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; profile of ICT assets means a software or hardware asset in the network and information systems used by the financial entity;, and accessible information assets means a collection of information, either tangible or intangible, that is worth protecting;.
1. The measures referred to in paragraph 1 shall protect the premises of financial entitiesas defined in Article 2, points (a) to (t) and, where applicable, data centres of financial entitiesas defined in Article 2, points (a) to (t) where ICT assets means a software or hardware asset in the network and information systems used by the financial entity; and information assets means a collection of information, either tangible or intangible, that is worth protecting; reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards.
1. The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein.