Physical and environmental security


  1. The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall identify and implement physical security measures designed on the basis of the threat landscape and in accordance with the classification referred to in Article 30(1) of this Regulation, the overall risk profile of ICT assetsa software or hardware asset in the network and information systems used by the financial entity, and accessible information assetsa collection of information, either tangible or intangible, that is worth protecting.

  2. The measures referred to in paragraph 1 shall protect the premises of financial entitiesas defined in Article 2, points (a) to (t) and, where applicable, data centres of financial entitiesas defined in Article 2, points (a) to (t) where ICT assetsa software or hardware asset in the network and information systems used by the financial entity and information assetsa collection of information, either tangible or intangible, that is worth protecting reside from unauthorised access, attacks, and accidents, and from environmental threats and hazards.

  3. The protection from environmental threats and hazards shall be commensurate with the importance of the premises concerned and, where applicable, the data centres and the criticality of the operations or ICT systems located therein.