Information security policy and measures


  1. The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall develop, document, and implement an information security policy in the context of the simplified ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment; management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entitiesas defined in Article 2, points (a) to (t) provide.

  2. Based on their information security policy referred to in paragraph 1, the financial entitiesas defined in Article 2, points (a) to (t) referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT riskmeans any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment;, including mitigating measures implemented by ICT third-party service providersmeans an undertaking providing ICT services;.

    The ICT security measures shall include all of the measures referred to in Article 30 to 38.