Article 23 Security and limits to access(Article 48(1) of Directive 2014/65/EU)

  1. (1)

    Trading venues shall have in place procedures and arrangements for physical and electronic security designed to protect their systems from misuse or unauthorised access and to ensure the integrity of the data that is part of or passes through their systems, including arrangements that allow the prevention or minimisation of the risks of attacks against the information systems as defined in the UK law corresponding to Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council.

  2. (2)

    In particular, trading venues shall set up and maintain measures and arrangements for physical and electronic security to promptly identify and prevent or minimise the risks related to:

    1. (a)

      unauthorised access to their trading system or to a part thereof, including unauthorised access to the work space and data centres;

    2. (b)

      system interferences that seriously hinder or interrupt the functioning of an information system by inputting data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible;

    3. (c)

      data interferences that delete, damage, deteriorate, alter or suppress data on the information system, or render such data inaccessible;

    4. (d)

      interceptions, by technical means, of non-public transmissions of data to, from or within an information system, including electromagnetic emissions from an information system carrying such data.

  3. (3)

    Trading venues shall promptly inform the competent authority of incidents of misuse or unauthorised access by promptly providing an incident report indicating the nature of the incident, the measures adopted in response to the incident and the initiatives taken to avoid similar incidents from occurring in the future.