(Article 48(1) of Directive 2014/65/EU)

1. Trading venues shall have in place procedures and arrangements for physical and electronic security designed to protect their systems from misuse or unauthorised access and to ensure the integrity of the data that is part of or passes through their systems, including arrangements that allow the prevention or minimisation of the risks of attacks against the information systems as defined in Article 2(a) of Directive 2013/40/EU of the European Parliament and of the Council [Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA (OJ L 218, 14.8.2013, p. 8).].

2. In particular, trading venues shall set up and maintain measures and arrangements for physical and electronic security to promptly identify and prevent or minimise the risks related to:

(a) unauthorised access to their trading system or to a part thereof, including unauthorised access to the work space and data centres;

(b) system interferences that seriously hinder or interrupt the functioning of an information system by inputting data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible;

(c) data interferences that delete, damage, deteriorate, alter or suppress data on the information system, or render such data inaccessible;