Article 35 Data, system and network security
The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, develop and implement safeguards that ensure the security of networks against intrusions and data misuse and that preserve the availability, authenticity, integrity, and confidentiality of data. In particular, financial entitiesas defined in Article 2, points (a) to (t) shall, taking into account the classification referred to in Article 30(1) of this Regulation, establish all of the following:
-
the identification and implementation of measures to protect data in use, in transit, and at rest;
-
the identification and implementation of security measures regarding the use of software, data storage media, systems and endpoint devices that transfer and store data of the financial entity;
-
the identification and implementation of measures to prevent and detect unauthorised connections to the financial entity’s network, and to secure the network traffic between the financial entity’s internal networks and the internet and other external connections;
-
the identification and implementation of measures that ensure the availability, authenticity, integrity, and confidentiality of data during network transmissions;
-
a process to securely delete data on premises, or that are stored externally, that the financial entity no longer needs to collect or store;
-
a process to securely dispose of, or decommission, data storage devices on premises, or data storage devices that are stored externally, that contain confidential information;
-
the identification and implementation of measures to ensure that teleworking and the use of private endpoint devices does not adversely impact the financial entity’s ability to carry out its critical activities in an adequate, timely, and secure manner.