Protecting the EU’s financial system from cyber attacks and ICT disruptions

MEPs on the Economic Monetary Affairs Committee voted (1 December) for new rules aimed at  strengthening the resilience of ICT systems in the financial services sector, specifically the requirements to detect, contain, protect against and repair information and communication ICT problems. The new requirements would be accompanied with reporting and testing of digital capabilities.

“The European Union is one step closer to having a comprehensive and well-coordinated set of rules addressing ICT risk and building cyber resilience for all entities”, said Billy Kelleher (Renew, IE), responsible for the regulation.

The rules would apply to financial entities regulated at EU-level, such as banks, payment providers, electronic money providers, investment firms, crypto-asset service providers and ICT third-party service providers.

Risk preparedness and reporting

The ICT risk management framework should take into account significant differences between financial entities in terms of size, nature, complexity and risk profile. MEPs want businesses to effectively respond and recover quickly while ensuring operational continuity.

In order to achieve a robust ICT-related-incident reporting regime for financial entities with less administrative burden and no reporting overlaps, MEPs agreed that they should report to their competent authorities in a centralised and harmonised manner. The possibility of establishing a single EU Hub for major ICT- related incidents should be explored.

Oversight of ICT third-party risk

The oversight should extend to providers of  ICT services. MEPs recognised their crucial contribution to the functioning of the financial sector and have  therefore called for them to be properly overseen at  an EU-level by a Joint Oversight Body. The committee also want one of the European supervisory authorities  to directly oversee critical ICT third-party service providers. Additionally, critical ICT third-party service providers established in third countries would be required to be established in the EU in order to be able to enter into contractual arrangements with financial entities.

Finally, MEPs want to enhance the exchange of information and cooperation between the ESAs, national competent authorities, the Network and Information Systems Cooperation Group (NIS), national computer security incident response teams (CSIRTs) as well as the Lead Overseer and Joint Oversight Body. This is to ensure that the cyber security strategies adopted by member states are consistent, to make financial supervisors aware of cyber incidents and to enable a cross-sector learning process.

Share this article: