Content Options

Content Options

View Options

Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.

You are viewing the version of the document as on 2021-01-01.

Status: In this content, we have included all amendments made by EU exit-related instruments up to end September 2020. There will be more amendments to be made later this year, further to the September QCP.

Article 23 Security and limits to access(Article 48(1) of Directive 2014/65/EU)

  1. (1)

    Trading venues shall have in place procedures and arrangements for physical and electronic security designed to protect their systems from misuse or unauthorised access and to ensure the integrity of the data that is part of or passes through their systems, including arrangements that allow the prevention or minimisation of the risks of attacks against the information systems as defined in the UK law corresponding to Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council.

  2. (2)

    In particular, trading venues shall set up and maintain measures and arrangements for physical and electronic security to promptly identify and prevent or minimise the risks related to:

    1. (a)

      unauthorised access to their trading system or to a part thereof, including unauthorised access to the work space and data centres;

    2. (b)

      system interferences that seriously hinder or interrupt the functioning of an information system by inputting data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible;

    3. (c)

      data interferences that delete, damage, deteriorate, alter or suppress data on the information system, or render such data inaccessible;

    4. (d)

      interceptions, by technical means, of non-public transmissions of data to, from or within an information system, including electromagnetic emissions from an information system carrying such data.

  3. (3)

    Trading venues shall promptly inform the competent authority of incidents of misuse or unauthorised access by promptly providing an incident report indicating the nature of the incident, the measures adopted in response to the incident and the initiatives taken to avoid similar incidents from occurring in the future.