Put in place mechanisms to detect anomalous activities, including network performance issues, incidents (reported by the third-parties in the services that they provide), and potential material single points of failure. The mechanisms shall enable multi-layers of control, define alerting thresholds, monitoring on specific events and criteria to automatically trigger incident response. Identify and implement tools generating alerts of anomalous activities and behaviour, at least for ICT assets and information assets supporting critical or important functions. Devote sufficient resources to detection and monitoring activities, especially to cybersecurity attacks.

Identify events to be logged, covering logical access, physical access, identity management, capacity management, change management, ICT operation (including system activity), and network traffic activities (including network performance). Determine the level of detail for the logs, aligning with the purpose for which the logs were created and to enable effective detection of anomalous activities. Define retention periods for logs, considering business and security objectives, the purpose of recording logs, and risk assessments.

*Data reporting service providers shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports.