Beta

Source: OJ L, 2024/1774, 25.6.2024

EN

Article 34 ICT operations security

  1. The financial entitiesas defined in Article 2, points (a) to (t) referred to in Article 16(1) of Regulation (EU) 2022/2554 shall, as part of their systems, protocols, and tools, and for all ICT assets means a software or hardware asset in the network and information systems used by the financial entity;:

    1. monitor and manage the lifecycle of all ICT assets means a software or hardware asset in the network and information systems used by the financial entity;;

    2. monitor whether the ICT assets means a software or hardware asset in the network and information systems used by the financial entity; are supported by ICT third-party service providers means an undertaking providing ICT services; of financial entitiesas defined in Article 2, points (a) to (t), where applicable;

    3. identify capacity requirements of their ICT assets means a software or hardware asset in the network and information systems used by the financial entity; and measures to maintain and improve the availability and efficiency of ICT systems and prevent ICT capacity shortages before they materialise;

    4. perform automated vulnerability means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; scanning and assessments of ICT assets means a software or hardware asset in the network and information systems used by the financial entity; commensurate to their classification as referred to in Article 30(1) and to the overall risk profile of the ICT asset means a software or hardware asset in the network and information systems used by the financial entity;, and deploy patches to address identified vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited;;

    5. manage the risks related to outdated, unsupported, or legacy ICT assets means a software or hardware asset in the network and information systems used by the financial entity;;

    6. log events related to logical and physical access control, ICT operations, including system and network traffic activities, and ICT change management;

    7. identify and implement measures to monitor and analyse information on anomalous activities and behaviour for critical or important ICT operations;

    8. implement measures to monitor relevant and up-to-date information about cyber threats means ‘cyber threat’ as defined in Article 2, point (8), of Regulation (EU) 2019/881;;

    9. implement measures to identify possible information leakages, malicious code and other security threats, and publicly known vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; in software and hardware, and check for corresponding new security updates.

  2. For the purposes of point (f), financial entitiesas defined in Article 2, points (a) to (t) shall align the level of detail of the logs with their purpose and usage of the ICT asset means a software or hardware asset in the network and information systems used by the financial entity; producing those logs.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod