Info
🔗 Back to Summary. 🇫🇷 French Version: 2024R1774_FR.29. Back to Summary of LVL1. Open the PDF. Direct link to EUR-LEX.
Article 28 – Governance and organisation ⬅️ | ➡️ Article 30 – Classification of information assets and ICT assets
Références LVL1 <=> LVL2
Level 1 reference(s): 2022R2554_EN.16
Article 29 - Information security policy and measures
1.
The financial entities referred to in 2022 shall develop, document, and implement an information security policy in the context of the simplified ICT risk management framework. That information security policy shall specify the high-level principles and rules to protect the confidentiality, integrity, availability, and authenticity of data and of the services those financial entities provide.
2.
Based on their information security policy referred to in paragraph 1, the financial entities referred to in paragraph 1 shall establish and implement ICT security measures to mitigate their exposure to ICT risk, including mitigating measures implemented by ICT third-party service providers. The ICT security measures shall include all of the measures referred to in Articles 30 to 38.