Contents
- Logging procedures, protocols and tools
- Obligation to Establish Logging Procedures, Protocols and Tools (Article 12(1) RTS RMF)
- Mandatory Content of Logging Procedures, Protocols and Tools (Article 12(2) RTS RMF)
- Article 12 RTS RMF
Logging procedures, protocols and tools
Obligation to Establish Logging Procedures, Protocols and Tools (Article 12(1) RTS RMF)
As part of the safeguards against intrusions and data misuse, financial entities must:
- develop,
- document, and
- implement
logging procedures, logging protocols and logging tools.
These components form part of the entity’s technical and organisational measures to detect anomalies, prevent misuse, and support ICT operational resilience.
Mandatory Content of Logging Procedures, Protocols and Tools (Article 12(2) RTS RMF)
The logging framework must include all of the following elements.
Identification of Events, Retention Periods, and Log Security Measures
The procedures must specify:
- which events are to be logged;
- the retention period for logs, taking into account:
- business objectives,
- information security objectives,
- the reason for recording the event,
- results of the ICT risk assessment;
- measures to secure and handle log data appropriately.
Alignment of Log Detail Level with Purpose
The level of detail in logs must be:
- aligned with the purpose and intended use of the logs,
- sufficient to enable effective detection of anomalous activities in accordance with Article 24 RTS RMF.
Mandatory Logging of Core Events
The procedures must require the logging of events related to:
(i) Logical and physical access control & identity management
- including successful and failed logical access,
- physical access to premises, data centres, and sensitive areas,
- identity lifecycle events and authentication events.
(ii) Capacity management
- events relating to capacity thresholds, resource utilisation, performance degradation.
(iii) Change management
- events related to changes in software, hardware, firmware, configuration, and security parameters.
(iv) ICT operations, including ICT system activities
- system start/stop, batch jobs, scheduled tasks, operational tasks, administrative actions.
(v) Network traffic activities, including ICT network performance
- connectivity, routing, segmentation boundaries, network anomalies, performance indicators.
Protection of Logging Systems and Log Information
The logging framework must ensure protection of:
- logging systems, and
- log information,
against:
- tampering,
- deletion,
- unauthorised access,
- both at rest, in transit, and—where relevant—in use.
Protection must apply across all logging components and data flows.
Detection of Logging System Failures
The procedures must include:
- mechanisms to detect failures of logging systems,
- ensuring that interruptions in log generation, storage, or transmission are promptly identifiable.
Clock Synchronisation
The procedures must require:
- the synchronisation of clocks of all ICT systems to a documented reliable reference time source,
- without prejudice to applicable Union or national law.
This supports forensic integrity, incident reconstruction, cross-system correlation and detection processes.