# Art. 9 — Protection and prevention

1. For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
2. Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting [critical or important functions](https://www.mica.wtf/definitions/definitions/dora/critical-or-important-function), and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
3. In order to achieve the objectives referred to in paragraph 2, financial entities shall use ICT solutions and processes that are appropriate in accordance with [Article 4](/dora/digital-operational-resilience-act/chapter-i-general-provisions/article-4-proportionality-principle.md). Those ICT solutions and processes shall:
   1. ensure the security of the means of transfer of data;
   2. minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity;
   3. prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data;
   4. ensure that data is protected from risks arising from data management, including poor administration, processing-related risks and human error.
4. As part of the [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) management framework referred to in [Article 6(1)](/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-6-ict-risk-management-framework.md), financial entities shall:

   1. develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset), including those of their customers, where applicable;
   2. following a risk-based approach, establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) in the event of [cyber-attacks](https://www.mica.wtf/definitions/definitions/dora/cyber-attack);
   3. implement policies that limit the physical or logical access to [information assets](https://www.mica.wtf/definitions/definitions/dora/information-asset) and [ICT assets](https://www.mica.wtf/definitions/definitions/dora/ict-asset) to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof;
   4. implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and [ICT risk](https://www.mica.wtf/definitions/definitions/dora/ict-risk) assessment processes;
   5. implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity's overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;
   6. have appropriate and comprehensive documented policies for patches and updates.

   For the purposes of the first subparagraph, point (b), financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion, especially for interconnected financial processes.

   For the purposes of the first subparagraph, point (e), the ICT change management process shall be approved by appropriate lines of management and shall have specific protocols in place.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.mica.wtf/dora/digital-operational-resilience-act/chapter-ii-ict-risk-management/article-9-protection-and-prevention.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.