Article 22
Security
(1) An application for registration as a securitisation repository shall contain proof of the following:
|
(a) |
that its information technology systems are protected from misuse or unauthorised access; |
|
(b) |
that its information systems as defined in Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council (12) are protected against attacks; |
|
(c) |
that unauthorised disclosure of confidential information is prevented; |
|
(d) |
that the security and integrity of the information received by it under Regulation (EU) 2017/2402 is ensured. |
(2) The application shall contain proof that the applicant has arrangements in place to identify and manage the risks referred to in paragraph 1 in a prompt and timely manner.
(3) With respect to breaches in the physical and electronic security measures referred to in paragraphs 1 and 2, the application shall contain proof that the applicant has arrangements in place to do the following in a prompt and timely manner:
|
(a) |
to notify ESMA of the incident giving rise to the breach; |
|
(b) |
to provide ESMA with an incident report, indicating the nature and details of the incident, the measures adopted to cope with the incident and the initiatives taken to prevent similar incidents; |
|
(c) |
to notify its users of the incident where they have been affected by the breach. |
(12) Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).