Article 721-8 into force since 19 December 2019

The digital assets services provider shall comply with the following requirements:

1. It shall have sufficient IT and human resources to ensure the resilience and security of its information systems, in particular by performing regular tests to analyse the vulnerability of its information systems in the event of cyberattacks;

2. It shall implement an IT strategy consisting of clearly defined objectives and measures:

   a) which is in compliance with its economic strategy and its risk strategy and is appropriate for its operations and the risks to which it is exposed;

   b) which is based on a reliable IT organisation; and

   c) which corresponds to an efficient management of IT security.

3. It shall establish and maintain appropriate physical and electronic security systems which reduce, insofar as possible, the risks of attacks against its information systems and include efficient management in terms of identification and access. These systems ensure the confidentiality, integrity, authenticity and availability of data and the reliability and robustness of the digital assets services provider's information systems;

4. It shall inform the AMF immediately of any major breach of its physical and electronic security measures. It shall provide the AMF with an incident report indicating the nature of the incident, the measures implemented after it occurred and the initiatives taken to prevent similar incidents from taking place in the future; and

5. It shall make sure that it is capable of identifying all the persons who have critical access rights to its information systems. It shall restrict the number of such persons and supervise their access to its information systems so that traceability is ensured at all times.

The digital assets services provider shall take into account the scale, organisation, nature, importance and complexity of its activity in order to comply with the requirements referred to in this Article.