diff --git a/packages/core/src/routes/profile/index.ts b/packages/core/src/routes/profile/index.ts
index ed6298d2a..87a82f20b 100644
--- a/packages/core/src/routes/profile/index.ts
+++ b/packages/core/src/routes/profile/index.ts
@@ -12,13 +12,15 @@ import {
   verifyUserSensitivePermission,
 } from '../../libraries/verification.js';
 import assertThat from '../../utils/assert-that.js';
+import { PasswordValidator } from '../experience/classes/libraries/password-validator.js';
 import type { UserRouter, RouterInitArgs } from '../types.js';
 
 export default function profileRoutes<T extends UserRouter>(
   ...[router, { queries, libraries }]: RouterInitArgs<T>
 ) {
   const {
-    users: { updateUserById },
+    users: { updateUserById, findUserById },
+    signInExperiences: { findDefaultSignInExperience },
   } = queries;
 
   const {
@@ -80,7 +82,10 @@ export default function profileRoutes<T extends UserRouter>(
       const { id: userId } = ctx.auth;
       const { password, verificationRecordId } = ctx.guard.body;
 
-      // TODO(LOG-9947): apply password policy
+      const user = await findUserById(userId);
+      const signInExperience = await findDefaultSignInExperience();
+      const passwordPolicyChecker = new PasswordValidator(signInExperience.passwordPolicy, user);
+      await passwordPolicyChecker.validatePassword(password, user);
 
       await verifyUserSensitivePermission({
         userId,
diff --git a/packages/integration-tests/src/tests/api/profile/index.test.ts b/packages/integration-tests/src/tests/api/profile/index.test.ts
index 6ca618042..a54991d7d 100644
--- a/packages/integration-tests/src/tests/api/profile/index.test.ts
+++ b/packages/integration-tests/src/tests/api/profile/index.test.ts
@@ -128,6 +128,19 @@ describe('profile', () => {
       await deleteDefaultTenantUser(user.id);
     });
 
+    it('should fail if password does not meet the password policy', async () => {
+      const { user, username, password } = await createDefaultTenantUserWithPassword();
+      const api = await signInAndGetUserApi(username, password);
+      const newPassword = '123456';
+
+      await expectRejects(updatePassword(api, 'invalid-varification-record-id', newPassword), {
+        code: 'password.rejected',
+        status: 422,
+      });
+
+      await deleteDefaultTenantUser(user.id);
+    });
+
     it('should be able to update password', async () => {
       const { user, username, password } = await createDefaultTenantUserWithPassword();
       const api = await signInAndGetUserApi(username, password);