Article 9
Security
A data reporting services provider shall set up and maintain procedures and arrangements for physical and electronic security designed to:
protect its IT systems from misuse or unauthorised access;
minimise the risks of attacks against the information systems as defined in Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council ( 1 );
prevent unauthorised disclosure of confidential information;
ensure the security and integrity of the data.
In respect of breaches in the physical and electronic security measures referred to in paragraphs 1, 2 and 3, a data reporting services provider shall promptly notify:
the competent authority of its home Member State and provide an incident report, indicating the nature of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents;
its clients that have been affected by the security breach.
( 1 ) Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).