Article 9
Security
1.
A data reporting services provider shall set up and maintain procedures and arrangements for physical and electronic security designed to:
(a)
protect its IT systems from misuse or unauthorised access;
(b)
minimise the risks of attacks against the information systems as defined in Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council ( 1 );
(c)
prevent unauthorised disclosure of confidential information;
(d)
ensure the security and integrity of the data.
2.
Where an investment firm (‘reporting firm’) uses a third party (‘submitting firm’) to submit information to an ARM on its behalf, an ARM shall have procedures and arrangements in place to ensure that the submitting firm does not have access to any other information about or submitted by the reporting firm to the ARM which may have been sent by the reporting firm directly to the ARM or via another submitting firm.
3.
A data reporting services provider shall set up and maintain measures and arrangements to promptly identify and manage the risks identified in paragraph 1.
4.
In respect of breaches in the physical and electronic security measures referred to in paragraphs 1, 2 and 3, a data reporting services provider shall promptly notify:
(a)
the competent authority of its home Member State and provide an incident report, indicating the nature of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents;
(b)
its clients that have been affected by the security breach.
5.
In the case of ARMs, the notification referred to in paragraph 4(a) shall also be made to any other competent authorities to whom the ARM submits transaction reports.
( 1 ) Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).