CDR 2024-1774 Chapter 1 Section 8 Article 18

Article 18 – Physical and environmental security

  1. As part of the safeguards to preserve the availability, authenticity, integrity, and confidentiality of data, financial entities shall specify, document, and implement a physical and environmental security policy. Financial entities shall design that policy i light of the cyber threat landscape, in accordance with the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554, and in light of the overall risk profile of ICT assets and accessible information assets.
  2. The physical and environmental security policy referred to in paragraph 1 shall contain all of the following:
    1. a reference to the section of the policy on control of access management rights referred to in Article 21, first paragraph, point (g);
    2. measures to protect from attacks, accidents, and environmental threats and hazards, the premises, data centres of the financial entity, and sensitive designated areas identified by the financial entity, where ICT assets and information assets reside;
    3. measures to secure ICT assets, both within and outside the premises of the financial entity, taking into account the results of the ICT risk assessment related to the relevant ICT assets;
    4. measures to ensure the availability, authenticity, integrity, and confidentiality of ICT assets, information assets, and physical access control devices of the financial entity through the appropriate maintenance;
    5. measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including:
      1. a clear desk policy for papers;
      2. a clear screen policy for information processing facilities.

      6. For the purposes of point (b), the measures to protect from environmental threats and hazards shall be commensurate with the importance of the premises, data centres, sensitive designated areas, and the criticality of the operations or ICT systems located therein.

      For the purposes of point (c), the physical and environmental security policy referred to in paragraph 1 shall contain measures to provide appropriate protection to unattended ICT assets.