OPINION OF THE EUROPEAN CENTRAL BANK

of 4 June 2021

on a proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector

(CON/2021/20)

(2021/C 343/01)

Introduction and legal basis

On 22, 23 and 29 December 2020 the European Central Bank (ECB) received requests from the Council of the European Union and the European Parliament, respectively, for an opinion on a proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 (1) (hereinafter the ‘proposed regulation’) and a proposal for a directive amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 (2) (hereinafter the ‘proposed amending directive’, together with the ‘proposed regulation’, the ‘proposed acts’).

The ECB’s competence to deliver an opinion is based on Articles 127(4) and 282(5) of the Treaty on the Functioning of the European Union, as the proposed acts contain provisions falling within the ECB’s fields of competence, in particular, the definition and implementation of monetary policy, the promotion of the smooth operation of payment systems, the contribution to the smooth conduct of policies pursued by competent authorities relating to the stability of the financial market system, and the ECB’s tasks concerning the prudential supervision of credit institutions pursuant to the first and fourth indents of Article 127(2), Article 127(5) and Article 127(6) of the Treaty. In accordance with the first sentence of Article 17.5 of the Rules of Procedure of the European Central Bank, the Governing Council has adopted this opinion.

1.   General observations

1.1

The ECB welcomes the proposed regulation, which aims to enhance the cyber security and operational resilience of the financial sector. In particular, the ECB welcomes the aim of the proposed regulation to remove obstacles to, and improve the establishment and functioning of, the internal market for financial services by harmonising the rules applicable in the area of information and communication technology (ICT) risk management, reporting, testing and ICT third-party risk. Furthermore, the ECB welcomes the aim of the proposed regulation to streamline and harmonise any overlapping regulatory requirements or supervisory expectations to which financial entities are currently subject under Union law.

1.2

The ECB understands that the proposed regulation represents, in relation to financial entities identified as operators of essential services (3), sector specific legislation (lex specialis) in accordance with the meaning as set out in Article 1(7) of Directive (EU) 2016/1148 of the European Parliament and of the Council (4) (hereinafter the ‘NIS Directive’); this implies that the requirements under the proposed regulation would, in principle, prevail over the NIS Directive. In practice, financial entities identified as operators of essential services (5) would, inter alia, report incidents in accordance with the proposed regulation rather than the NIS Directive. While the ECB welcomes the reduction of potential overlapping requirements for financial entities in the field of incident reporting, further consideration should be given to the interplay between the proposed regulation and the NIS Directive. For example, under the proposed regulation an ICT third-party service provider (6) could be subject to recommendations issued by the lead overseer (7). At the same time, the very same ICT third-party service provider may be classified as an operator of essential services under the NIS Directive and be subject to binding instructions issued by the competent authority (8). In such case, the ICT third-party service provider could be subject to conflicting recommendations issued under the proposed regulation and binding instructions issued under the NIS Directive. The ECB suggests that the Union legislative bodies reflect further on potential inconsistencies between the proposed regulation and the NIS Directive that may hamper the harmonisation and reduction of overlapping and conflicting requirements for financial entities.

1.3

The ECB also understands that under the proposal for a directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (9) (hereinafter the ‘proposed NIS2 directive’), ‘near misses’ (10) will be subject to reporting obligations (11). While Recital (39) of the proposed NIS2 directive refers to the meaning of the term ‘near misses’, it is unclear whether the intention is to require that near misses be reported by the financial entities listed in Article 2 of the proposed regulation. In this regard, and also taking into account that near misses can only be identified as such after they have occurred, the ECB would welcome receiving notification of significant near-misses in a timely manner, as is currently the case for cyber incidents. The ECB suggests that there should be greater coordination between the proposed regulation and the proposed NIS2 directive to clarify the exact scope of reporting to which any given financial entity may be subject under these two distinct but connected pieces of Union legislation. At the same time, ‘near misses’ would need to be defined and provisions clarifying their significance would need to be developed.

1.4

The ECB welcomes incentivising financial entities to share on a voluntary basis cyber threat intelligence information amongst each other to enhance and bolster their cyber resilience postures. The ECB itself has assisted with the market-driven Cyber threat Intelligence Information Sharing Initiative (CIISI-EU) and has made available the blueprints for anyone to build and foster such an initiative (12).

1.5

The ECB supports cooperation between the competent authorities for the purposes of the proposed regulation, the European Supervisory Authorities (ESAs), and the Computer Security Incident Response Teams (CSIRTS) (13). It is essential to exchange information in order to ensure the operational resilience of the Union, as information sharing and cooperation among authorities can contribute to the prevention of cyber-attacks and help reduce the spread of ICT threats. A common understanding of ICT-related risks should be promoted and assessing such risks in a consistent manner should be ensured across the Union. It is of utmost importance that information be shared with the single point of contact (14) and the national CSIRTS by competent authorities (15) only when there are clearly established classification and information sharing mechanisms, coupled with adequate safeguards to ensure confidentiality.

1.6

Finally, the ECB would welcome the introduction under the proposed regulation of rules on personal data and data retention. The length of the retention period should take into account the investigation, inspection, request for information, communication, publication, evaluation, verification, assessment and drafting of oversight or supervisory plans that the competent authorities may have to carry out as part of their respective obligations and duties under the proposed regulation. In this respect, a 15-year retention period would be adequate. This data retention period could be shortened or extended, as specific instances require. In this respect, the ECB suggests that the Union legislative bodies, in their formulation of the relevant provision on personal data and data retention, also take into account the data minimisation principle, as well as further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (16).

2.   Specific observations on oversight and securities clearing and settlement

2.1   ESCB and Eurosystem oversight competences

2.1.1

Closely linked to its basic monetary policy tasks, the Treaty and the Statute of the European System of Central Banks and of the European Central Bank (hereinafter the Statute of the ESCB) provide for the Eurosystem’s conduct of oversight over clearing and payment systems. Pursuant to the fourth indent of Article 127(2) of the Treaty, as mirrored in Article 3.1 of the Statute of the ESCB, one of the basic tasks to be carried out through the European System of Central Banks (ESCB) is to promote the smooth operation of payment systems. In the performance of this basic task, the ECB and the national central banks may provide facilities, and the ECB may make regulations, to ensure efficient and sound clearing and payments systems within the Union and with other countries (17). Pursuant to its oversight role, the ECB adopted Regulation (EU) No 795/2014 of the European Central Bank (ECB/2014/28) (hereinafter the ‘SIPS Regulation’) (18). The SIPS Regulation implements, in prescriptive form, the Principles for financial market infrastructures of April 2012 issued by the Committee on Payment and Settlement Systems and the International Organisation of Securities Commissions (19), which are legally binding and cover both large-value and retail payment systems of systemic importance, operated either by a Eurosystem central bank or a private entity. The Eurosystem oversight policy framework (20) identifies payment instruments as an ‘integral part of payment systems’ and thus includes these within the scope of its oversight. The oversight framework for payment instruments is currently under review (21). Under that framework, a payment instrument (e.g. a card, credit transfer, direct debit, e-money transfer and digital payment token (22)) is defined as a personalised device (or a set of devices) and/or set of procedures agreed between the payment service user and the payment service provider used in order to initiate a transfer of value (23).

2.1.2

In the light of the above, the ECB welcomes the exclusion from the proposed regulation’s scope article of system operators as defined in point (p) of Article 2 of Directive 98/26/EC of the European Parliament and of the Council (24), payment systems (including those operated by central banks), payment schemes and payment arrangements in view of the application of the above-referenced oversight frameworks. For these reasons, the ESCB’s competences under the Treaty and the Eurosystem’s competences under the SIPS Regulation should be clearly spelled out in the recitals of the proposed regulation.

2.1.3

By the same token, the ECB welcomes the exclusion from the application of the oversight framework set out in the proposed regulation of ICT third-party service providers that are subject to oversight frameworks established for the purposes of supporting the tasks referred to in Article 127(2) of the Treaty (25). In this respect, the ECB would like to stress that ESCB central banks acting in their monetary capacities (26) and the Eurosystem when providing services via TARGET2, TARGET2-Securites (T2S) (27) and TARGET Instant Payment Settlement (TIPS) (28) are not subject to the scope article of the proposed regulation, nor can they be deemed ICT third-party service providers and thus potentially classified as critical ICT third-party service providers for the purposes of the proposed regulation. The Eurosystem oversees T2S in connection with its mandate to ensure efficient and sound clearing and payment systems. Furthermore, ESMA has clarified that T2S is not a critical service provider (29) within the meaning of Regulation (EU) No 909/2014 of the European Parliament and of the Council (30) (hereinafter the ‘CSD Regulation’). As a result, T2S’s organisational and operational safety, efficiency and resilience are ensured through the applicable legal, regulatory and operational framework and agreed governance arrangements or T2S, as opposed to via the CSD Regulation.

2.1.4

In addition, the Eurosystem’s oversight policy framework (31) covers critical service providers such as the Society for Worldwide Interbank Financial Telecommunication (SWIFT). SWIFT is a limited liability cooperative company established in Belgium, which provides secure messaging services internationally. The Nationale Bank van België/Banque Nationale de Belgique acts as lead overseer of SWIFT, and conducts, on the basis of a cooperative oversight arrangement, oversight in respect of SWIFT, in cooperation with the other G10 central banks, including the ECB. The G10 overseers recognise that the main focus of oversight is SWIFT’s operational risk, as this is considered to be the primary risk category through which SWIFT could pose a systemic risk to the financial system in the Union. In this regard, the SWIFT Cooperative Oversight Group has developed a specific set of principles and high-level expectations that apply to SWIFT, such as risk identification and management, information security, reliability and resilience, technology planning and communication with users. The G10 overseers expect SWIFT to adhere to the Committee on Payment and Market Infrastructures (CPMI) and the International Organisation of Securities Commissions (IOSCO) Guidance on cyber resilience (32) as well as other international standards on ICT security which, when taken together, exceed the requirements set out in the proposed regulation.

2.1.5

One cannot be certain that SWIFT and perhaps other service providers subject to the Eurosystem oversight policy framework, could become subject to the proposed regulation as ICT third-party service providers if they were to provide services not covered under Article 127(2) of the Treaty. The ECB therefore strongly welcomes that service providers already subject to the Eurosystem oversight policy framework, including but not limited to SWIFT, be excluded from the scope of application of the oversight framework set out under the proposed regulation.

2.2   ESCB competences in the area of securities settlement

2.2.1

Central securities depositories (CSDs) are financial market infrastructures (FMIs) that are strictly regulated and supervised by different authorities pursuant to the CSD Regulation, which sets out requirements pertaining to the settlement of financial instruments as well as rules on the organisation and conduct of CSDs. Furthermore, CSDs should take note of the CPMI-IOSCO Guidance on cyber resilience, which has been operationalised by the Cyber resilience oversight expectations for financial market infrastructures (December 2018) (33) . In addition to the supervisory competences entrusted to national competent authorities (NCAs) under the CSD Regulation, the members of the ESCB act as ‘relevant authorities’, in their capacity as overseers of securities settlement systems operated by CSDs, central banks issuing the most relevant currencies in which settlement takes place and central banks in whose books the cash leg of transactions is settled (34). In this regard, recital 8 of the CSD Regulation states that the Regulation should apply without prejudice to the responsibilities of the ECB and the national central banks to ensure efficient and sound clearing systems and payment systems within the Union and other countries. Recital 8 also states that the CSD Regulation should not prevent the members of the ESCB from accessing information relevant to the performance of their duties (35), including the oversight of CSDs and other FMIs (36).

2.2.2

In addition, the members of the ESCB often act as settlement agents for the cash leg of securities transactions and the Eurosystem offers settlement services via T2S to CSDs. The Eurosystem’s oversight of T2S is related to its mandate to ensure efficient and sound clearing and payment systems, while competent and relevant authorities of CSDs aim to ensure their smooth functioning, the safety and efficiency of settlement and the proper functioning of financial markets in their respective jurisdictions.

2.2.3

Under the proposed regulation (37) ESCB central banks are not involved in the development of technical standards as regards the specification of ICT risks. Similarly, under the proposed regulation (38) the relevant authorities are not informed of any ICT related incidents. ESCB central bank should keep the same level of involvement as currently provided under the CSD Regulation and the relevant authorities should be notified of ICT related incidents. The Eurosystem is the relevant authority for all euro area CSDs and for several other EU CSDs. ESCB central banks would need to be informed about ICT-related incidents that are relevant to the performance of their duties, including the oversight of CSDs and other FMIs. The risks to which CSDs are exposed, including ICT risks, have the potential to threaten the sound functioning of CSDs. Therefore, ICT risks are of importance to relevant authorities, which should be provided with a full and detailed overview of these risks in order to assess them and influence the CSDs’ risk management approach. The proposed regulation should not provide for less restrictive requirements as regards ICT risks when compared to those provided under the CSD Regulation and current related regulatory technical standards.

2.2.4

In addition, the Union legislative bodies should clarify the interplay between the proposed regulation (39) and the regulatory technical standards supplementing the CSD Regulation. In particular, it is not clear whether a CSD is to be exempted from the obligation of having its own secondary site where its ICT third-party service provider maintains such a site (40). Should a CSD be exempt from this obligation to maintain a secondary site, it is unclear what legal value this requirement would have. By the same token, the proposed regulation (41) refers to a recovery time objective and recovery point objectives for each function (42), while the relevant regulatory technical standard makes a distinction between critical functions (43) and critical operations (44) in relation to the recovery time set for CSDs’ critical operations. Further clarification and reflection by the Union legislative bodies are warranted on the interplay between the proposed regulation and the regulatory technical standards supplementing the CSD Regulation in order to avert the risk of conflicting requirements. Finally, it should be clarified that exemptions granted to CSDs operated by certain public entities under the CSD Regulation (45) are extended under the proposed regulation.

2.3   ESCB competences in the area of securities clearing

2.3.1

ESCB central banks are entrusted with oversight competences in relation to central counterparties (CCPs). In this respect, the Eurosystem national central banks often cooperate with the relevant national competent authorities in the oversight and supervisory functions of CCPs and participate in the respective CCP’s college established under Regulation (EU) No 648/2012 of the European Parliament and of the Council (46) (hereinafter ‘EMIR’). The relevant members of the Eurosystem (47) participate in EMIR colleges in their oversight capacity and represent the Eurosystem as a central bank of issue for CCPs where the euro is one of the most relevant currencies for the financial instruments cleared (and for offshore CCPs that clear a significant proportion of financial instruments in euro). The ECB is the central bank of issue for non-euro area CCPs.

2.3.2

Under the proposed regulation (48) ESCB central banks are not involved in the development of technical standards as regards the specification of ICT risks. Moreover, the proposed regulation (49) lacks any reference to the recovery time objective and the recovery point objective requirements under EMIR (50). The proposed regulatory set-up should not provide for less restrictive requirements regarding ICT risks than those that currently exist. Hence, it is critical to set clear recovery time and point objectives in order to have a sound business continuity management framework. Maintaining specific recovery time and point objectives is also part of the CPMI-IOSCO Principles for Financial Market Infrastructures (51). The current provision under EMIR should be retained, and the proposed regulation should be adapted accordingly. The ESCB central banks should be involved in the preparation of any secondary level legislation, as well as further clarification and reflection by the Union legislative bodies on the interplay between the proposed regulation and the regulatory technical standards supplementing, so as to avert the risk of conflicting or overlapping requirements.

3.   Specific observations on prudential supervisory aspects

3.1

Council Regulation (EU) No 1024/2013 (52) (hereinafter the ‘SSM Regulation’) confers specific tasks on the ECB concerning the prudential supervision of credit institutions within the euro area and makes the ECB responsible for the effective and consistent functioning of the Single Supervisory Mechanism (SSM), within which specific supervisory responsibilities are distributed between the ECB and the participating NCAs. In particular, the ECB has the task of authorising and withdrawing the authorisation of all credit institutions. The ECB also has the task, among others, to ensure compliance with the relevant Union laws imposing prudential requirements on credit institutions, including the requirement to have in place robust governance arrangements, such as sound risk management processes and internal control mechanisms (53). To this end, the ECB is given all supervisory powers to intervene in the activity of credit institutions that are necessary for the exercise of its functions. The ECB and the relevant NCAs are thus the competent authorities exercising specified prudential supervisory powers under Regulation 2013/575/EU of the European Parliament and of the Council (54) (hereinafter the ‘Capital Requirements Regulation’) and Directive 2013/36/EU of the European Parliament and of the Council (55) (hereinafter the ‘Capital Requirements Directive).

3.2

The proposed regulation states that the single rulebook and system of supervision should be further developed to cover digital operational resilience and ICT security, by enlarging the mandates of financial supervisors tasked with monitoring and protecting financial stability and market integrity (56). The aim is to foster a comprehensive ICT or operational risk framework through the harmonisation of key digital operational resilience requirements for all financial entities (57). In particular, the proposed regulation aims at consolidating and upgrading ICT risk requirements that are, to date, separately addressed in different pieces of legislation (58).

3.3

The requirements related to ICT risk for the financial sector are currently spread over a number of acts of Union law, including the Capital Requirements Directive, and soft law instruments (such as EBA guidelines), and are diverse and occasionally incomplete. In some cases, ICT risk has only been implicitly addressed as part of operational risk, whereas in others it has not been addressed at all. This should be remedied by aligning the proposed regulation and those acts. To that end, the proposed amending directive puts forward a set of amendments that appear necessary to bring legal clarity and consistency in relation to the application of the various digital operational resilience requirements. However, the amendments to the Capital Requirements Directive currently suggested by the proposed amending directive (59) only refer to the provisions on contingency and business continuity plans (60), given that, purportedly, they implicitly serve as a basis for addressing ICT risk management.

3.4

Furthermore, the proposed regulation (61) provides that financial entities, including credit institutions, shall have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks. The proposed regulation (62) provides for the application at the individual and consolidated level of the requirements set out in it, but without sufficient coordination with the sector specific legislation referred to. Last, under the proposed regulation (63), it is provided that without prejudice to the provisions on the oversight framework for critical ICT third-party service providers referred to in the proposed regulation (64), compliance with the obligations set out therein shall be ensured, for credit institutions, by the competent authority designated in accordance with Article 4 of Capital Requirements Directive, without prejudice to the specific tasks conferred on the ECB by the SSM Regulation.

3.5

In view of the foregoing, the ECB understands that, in relation to credit institutions, and save for the provisions of the proposed regulation relating to the oversight framework for critical ICT third-party service providers (65), the proposed regulation intends to set forth a prudential internal governance framework for the management of ICT risk that will be integrated into the general internal governance framework under the Capital Requirements Directive. Moreover, given the prudential nature of the proposed framework, the competent authorities responsible for supervision of the compliance with the obligations set out under the proposed framework, including the ECB, will be the authorities responsible for banking supervision in accordance with the SSM Regulation.

3.6

The Union legislative bodies may thus wish to take into consideration the following suggestions to increase clarity and coordination between the proposed regulation and the Capital Requirements Directive. First, the requirements under the proposed regulation may expressly be qualified as prudential, as has been done, inter alia, in the CSD Regulation (66). Second, the recitals of the proposed amending directive (67) could broaden their wording given that the requirements under the proposed regulation go beyond the sole phase of contingency and business continuity plans. ICT risk governance measures, overall, fall under the more general scope of robust governance arrangements under Article 74 of the Capital Requirements Directive (68). Third, the proposed regulation (69) should be amended in order to recall in the recitals the ECB’s competence for the prudential supervision of credit institutions under the Treaty and the SSM Regulation. Fourth, the reference to the application at the individual and consolidated level of the requirements therein provided (70) should be revised since sub-consolidated and consolidated levels are not defined in the proposed regulation, and certain types of intermediaries are not subject to consolidated supervision under the relevant legislation (e.g. payment institutions). Moreover, the level of application of the requirements under the proposed regulation should spring solely from the legislation applicable to each type of financial entity. In the case of credit institutions, a clear connection between the Capital Requirements Directive and the proposed regulation is provided for, and so the requirements under the proposed regulation would automatically apply at individual, sub-consolidated or consolidated level (71), as the case may be. Finally, the Union legislative bodies could consider providing a transitional regime to manage the period between the entry into force of the proposed regulation and the entry into force of the regulatory technical standards envisaged in the proposed regulation, given that some intermediaries, including credit institutions, are already subject to rules on ICT risks that are applicable to specific sectors and are more detailed than the general provisions of the proposed regulation.

3.7

The ECB has been entrusted under the SSM Regulation with the task of ensuring compliance by credit institutions with Union law requirements requiring credit institutions to have in place robust risk management processes and internal control mechanisms (72). This means that the ECB must ensure that credit institutions implement policies and processes to evaluate and manage their exposure to operational risk, including model risk, and to cover low-frequency, high-severity events. Credit institutions are required to articulate what constitutes operational risk for the purposes of these policies and procedures (73).

3.8

In July 2017 the Governing Council of the European Central Bank (ECB) adopted the SSM Cyber Incident Reporting Framework (hereinafter referred to as the “Framework”), on the basis of a draft proposal of the Supervisory Board in accordance with Articles 26(8) and Article 6(2) of the SSM Regulation and Article 21(1) of Regulation (EU) No 468/2014 of the European Central Bank (ECB/2014/17) (74). The Framework consists of a binding request (individual decisions addressed to credit institutions) for information and/or reporting on the basis of Article 10 of the SSM Regulation (75). Some countries already have an incident reporting process in place, requiring credit institutions to report all significant cyber incidents to their NCAs. In those countries, significant credit institutions will still report incidents to the NCAs, which will then forward them without undue delay to the ECB on behalf of the supervised entities. Therefore, the decisions referred to above are also addressed to these national competent authorities to forward that information to the ECB based on the Framework. The ECB supports the Union legislative bodies’ effort to promote harmonisation and streamlining, inter alia, regarding the set of rules and obligations applicable to credit institutions on incident reporting. In view of this, the ECB stands ready to amend (and potentially repeal) the Framework, where necessary, in the light of the eventual adoption of the proposed regulation.

4.   Specific observations on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk

4.1   ICT risk management

4.1.1

The ECB welcomes the introduction by the proposed regulation of a robust and comprehensive ICT risk management framework that encompasses the CPMI-IOSCO Guidance on cyber resilience and is closely aligned to best practices, including the Eurosystem Cyber Resilience Oversight Expectations for FMIs.

4.1.2

The ECB supports the notion that financial entities should have to perform risk assessments upon each ‘major change’ in the network and information system infrastructure (76). Having said that, the proposed regulation contains no definition of ‘major change’, creating unwelcome scope for diverging interpretations by financial entities that could ultimately hamper the proposed regulation’s harmonisation aims. For the sake of legal certainty, the Union legislative bodies might wish to consider the introduction of a definition of ‘major change’ in the proposed regulation.

4.1.3

The ECB generally supports the idea that financial entities other than microenterprises shall report relevant costs and losses caused by ICT disruptions and ICT related incidents to competent authorities (77). However, to ensure the overall effectiveness of the system, and to avoid the possibility of overwhelming competent authorities and financial entities with an excessive number of reports, the introduction of relevant thresholds, possibly of a quantitative nature, could be usefully explored by the Union legislative bodies.

4.1.4

The ECB acknowledges the possibility of financial entities delegating to intra-group or external undertakings the tasks of verifying compliance with ICT risk management requirements, upon approval by the competent authorities (78). At the same time, it is important that the Union legislative bodies clarify how the approval by the competent authorities would be granted in cases where a financial entity is subject to multiple competent authorities. This could occur where a financial entity is a credit institution, a crypto-assets service provider and/or a payment service provider. Finally, in relation to the identification and classification to be performed by financial entities under the proposed regulation (79), the ECB would consider prudent, for the purposes of the classification of assets, that the proposed regulation also require financial entities to take into account the criticality of such assets (i.e. whether they support critical functions).

4.2   Incident reporting

4.2.1

The ECB welcomes the efforts outlined in the proposed regulation to harmonise the ICT incident reporting landscape within the Union and work towards a centralised reporting of major ICT-related incidents (80). The introduction of a harmonised framework for the reporting of major ICT-related incidents (81) to the relevant competent authorities would in principle streamline and harmonise the reporting burden of financial entities, including credit institutions. Competent authorities would benefit from the broader scope of incidents covered, going beyond cyber-related incidents currently covered by existing frameworks (82). The future adoption of the proposed regulation would require reviewing and potentially repealing existing frameworks, including the SSM Cyber Incident Reporting Framework. Having said that, in order to achieve a true streamlining and full alignment across all frameworks, it is critical to ensure that the scope of the incident reporting provisions under the proposed regulation, including all the relevant definitions, thresholds and reporting parameters, be fully aligned with relevant frameworks. In particular, it is of the utmost importance to ensure alignment between on the one hand the proposed regulation, and, on the other hand, Directive (EU) 2015/2366 of the European Parliament and of the Council (83) (hereinafter the ‘PSD2’) and the EBA Guidelines on major incident reporting (hereinafter the ‘EBA Guidelines’). The proposed amending directive (84) contains amendments to the PSD2 in relation to the delineation of the incident reporting between the proposed regulation and the PSD2, which would affect mainly payment service providers, who could also be authorised as credit institutions, as well as the competent authorities. There is a lack of clarity as regards the incident notification process, and there is a potential overlap between some of the incidents that need to be reported under both the proposed regulation and the EBA Guidelines.

4.2.2

The processes for notifying major incidents under, respectively, the proposed regulation (85), the PSD2 and the corresponding EBA Guidelines would require payment service providers to submit an incident report to their respective competent authority once the incident has been classified. As a matter of fact, initial reports do not capture the essence, cause or functional area affected by the incident and payment service providers may only be in a position to make such distinctions at a later stage, when more detailed information about the incident becomes available. As a result, initial incidents reports could be submitted both under the proposed regulation and the EBA Guidelines, or payment service providers may decide upon a single reporting framework and correct their submissions at a later date. The same uncertainty (as regards, for instance, the root cause of any incident) may also be reflected in intermediate and final reports. This would once again raise the potential for parallel submission of reports to the competent authorities under the proposed regulation and the PSD2.

4.2.3

Some incidents that may be categorised as ICT-related incidents may also have an impact on other areas and, as a result, would need to be notified under the EBA Guidelines. This may be the case where an incident has an impact from an ICT perspective but, at the same time, has also affected the provision of payment services directly and/or other non-ICT functional areas or channels. In addition, there could be instances where it is not possible to distinguish between operational and ICT-related incidents. Furthermore, in the case where the same financial entity is a significant credit institution and a payment service provider, under the proposed regulation the same entity would have to report the ICT-related incident twice, being subject to two competent authorities. In view of the foregoing, the proposed regulation should articulate more clearly how the interplay between the PSD2 and the EBA Guidelines is meant to work in practice. More significantly, it would be important, for the sake of harmonisation and streamlining of reporting obligations, that the Union legislative bodies reflect on residual issues of double reporting, and that it clarify whether the proposed regulation on the one hand, and the PSD2 and EBA Guidelines on the other hand, would co-exist, or whether there should be a single set of incident reporting requirements.

4.2.4.

The proposed regulation introduces a requirement for the competent authorities (86) , upon receipt of a report, to acknowledge receipt of notification and as quickly as possible to provide all necessary feedback or guidance to the financial entity, in particular to discuss remedies at the level of the entity or ways to minimise the adverse impact across sectors. This would mean that the competent authorities should actively contribute to managing and remediating incidents while at the same time also assessing the response of a supervised entity to critical incidents. The ECB emphasises that the responsibility for and ownership of the remediation and the consequences of an incident should remain solely and clearly with the financial entity concerned. The ECB would therefore propose to limit the feedback and guidance to high-level prudential feedback and guidance only. If feedback were wider, it would require specialised professionals with very considerable technical knowledge not typically available in the talent pool available to prudential authorities.

4.3   Digital operational resilience testing

4.3.1

The ECB welcomes the requirements set out under the proposed regulation (87) on digital operational resilience testing across financial entities and the need for each institution to have its own testing programme. The proposed regulation (88) describes different types of tests as indicatory to financial entities. The types of tests are not very clear and some tests, such as compatibility tests, questionnaires, or scenario-based tests, are open to interpretation by ESAs, competent authorities or financial entities. In addition, there is also no guidance as to the frequency of each test. A possible approach could be that the proposed regulation would set out generic testing requirements, with a more precise description of the types of tests being set out in regulatory and implementing technical standards.

4.3.2

Threat-led penetration testing (TLPT) is a powerful tool to test security defences and preparedness. The ECB therefore encourages TLPT by financial entities. With this tool not only technical measures are tested, but also staff and processes. The results of these tests can significantly increase the security awareness of the senior management within the entities being tested. The European Framework for Threat Intelligence Based Ethical Red-teaming (TIBER-EU) (89) and other TLPT tools already available, outside the Union, are primary instruments for entities themselves to assess, test, practise and improve their cyber resilience posture and defences.

4.3.3

In most Member States where TIBER-EU has been implemented, overseers and supervisors do not play an active role in the implementation of a localised TIBER-XX program and the TIBER Cyber Team (TCT) is situated in almost all cases independently of these functions. For this reason, advanced testing under the proposed regulation (90), by means of TLPT, should be implemented as a tool to strengthen the financial ecosystem and enhance financial stability rather than a purely supervisory tool. In addition, there is no need for the development of a new advanced cyber resilience testing framework as Member States have already widely adopted TIBER-EU, the only such framework in the EU at present.

4.3.4

Requirements for testers should not be contained in the main body of the proposed regulation, as the TLPT-related sector is still developing and innovation may be hindered by mandating specific requirements. Having said that, the ECB is of the view that in order to ensure a high degree of independence when conducting tests, financial entities should not employ or contract testers that are employed or contracted by financial entities in their own group or that are otherwise owned and/or controlled by the financial entities to be tested.

4.3.5

In order reduce the risk of fragmentation and ensure harmonisation, the proposed regulation should mandate one TLPT framework that applies to the financial sector across the Union. Fragmentation may lead to increases in terms of costs, and of technical, operational and financial resource requirements, for both competent authorities and financial institutions. These increased costs and requirements may ultimately have a negative impact on the mutual recognition of tests. This lack of harmonisation and the resulting issues with mutual recognition are especially critical for financial entities, which may hold multiple licences and/or operate in multiple jurisdictions across the Union. The regulatory and implementing technical standards, which are to be drafted for TLPT under the proposed regulation, should be in accordance with TIBER-EU. Furthermore, the ECB welcomes the opportunity to be involved in the preparation of these regulatory and implementing technical standards in cooperation with the ESAs.

4.3.6

The active involvement of competent authorities in the tests could result in a potential conflict of interest with the other function they perform, i.e. assessing the financial entity’s testing framework. Against this background, the ECB proposes to remove from the proposed regulation any obligation for competent authorities regarding the validation of documents and the issuance of an attestation for a TLPT test.

4.4   ICT third-party risk

4.4.1

The ECB welcomes the introduction of a comprehensive set of key principles and a robust oversight framework to identify and manage ICT risks stemming from ICT third-party service providers, regardless of whether these belong to the same group of financial entities. Having said that, in order to achieve an effective ICT risk identification and management, it is important to correctly identify and classify, inter alia, critical ICT third-party service providers. In this regard, while the introduction of delegated acts (91) that will supplement the criteria to be used for classification purposes (92) is welcomed, the ECB should be consulted prior to the adoption of such delegated acts.

4.4.2

As regards the structure of the oversight framework (93), further clarification is needed with respect to the role to be undertaken by the Joint Committee. At the same time, the ECB welcomes its inclusion in the Oversight Forum as an observer, as this role will provide the ECB with the same access to documentation and information as voting members (94). The ECB would like to draw the Union legislative bodies’ attention to the fact that the ECB, in its role as an observer, would contribute to the work of the Oversight Forum both in its capacity as a central bank of issue, with responsibility for the oversight of market infrastructures, and as prudential supervisor of credit institutions. In addition, the ECB notes that, besides being an observer in the Oversight Forum, the ECB would also, as competent authority, be part of the joint examination team. In this respect, further reflection by the Union legislative bodies could be given to the composition of the joint examination teams (95) so as to ensure an appropriately weighty involvement of the relevant competent authorities. By the same token, the ECB believes that the maximum number of participants in the joint examination teams should be increased, taking into account the criticality, the complexity and the scope of the ICT third-party services.

4.4.3

The ECB notes that under the proposed regulation the lead overseer may prevent critical ICT third-party service providers from entering into further subcontracting arrangements where (i) the envisaged sub-contractor is an ICT third-party service provider or an ICT sub-contractor established in a third country and (ii) the subcontracting concerns a critical or important function of the financial entity. The ECB wishes to highlight that these powers can only be exercised by the lead overseer in the context of subcontracting arrangements where a critical ICT third-party service provider subcontracts a critical or important function to a separate legal entity established in a third country. The ECB understands that the lead overseer could not exercise comparable powers to prevent a critical ICT third-party service provider from outsourcing critical or important functions of the financial entity to facilities of that service provider that are located in a third country. It could be the case, for example, that, from an operational standpoint, critical data and/or information may be stored or processed by facilities located outside the European Economic Area (EEA). In such a case, the powers of the lead overseer may not adequately empower the competent authorities to access all information, premises, infrastructures and personnel relevant for the performance of all critical or important functions of the financial entity. In order to ensure that the ability of competent authorities to perform their tasks unhindered, the ECB suggests that the lead overseer should be granted the power to also restrict the use by critical ICT third-party service providers of facilities located outside the EEA. This power could be exercised in those specific cases where administrative arrangements with the relevant third country authorities, as provided under the proposed regulation are not in place (96), or the representatives of the critical ICT third-party service providers fail to provide sufficient reassurances under the framework of the relevant third country as to the access to the information, premises, infrastructure and personnel which is needed to conduct oversight or supervisory tasks.

4.4.4

Finally, requiring the competent authorities to follow up on the recommendations of the lead overseer (97) could risk proving ineffective, as competent authorities may not have a holistic view of the risks generated by each critical ICT third-party service provider. In addition, the competent authorities may be required to take actions against their supervised financial entities where the recommendations are not addressed by the critical third-party service providers. Under the proposed regulation (98), the competent authorities may require their supervised financial entities to temporarily suspend the critical third-party service or to terminate outstanding contracts with critical third-party service providers. It is difficult to translate the envisaged follow-up process into concrete actions. Specifically, it is not clear whether a supervised financial entity will be in a position to suspend or terminate a contract with a critical third-party service provider. This is because the critical ICT third-party service provider could be a significant provider for that financial entity, or because of the costs and damages, contractual or otherwise, that the financial entity may suffer as a consequence of such a suspension or termination. Moreover, this approach is not supportive of oversight convergence, since competent authorities may interpret the same recommendation in divergent manner. This could ultimately hamper the envisaged harmonisation and consistent approach in the monitoring of critical ICT third-party risk at the Union level. In view of the foregoing, the Union legislative bodies may wish to consider granting the legal overseers specific enforcement powers vis-à-vis critical ICT third party service providers, taking into account the limits imposed by the Meroni doctrine, as partially mitigated by the Court of Justice in its judgement in the ESMA case (99).

Where the ECB recommends that the proposed regulation be amended, specific drafting proposals are set out in a separate technical working document accompanied by an explanatory text to this effect. The technical working document is available in English on EUR-Lex.

---

(1)  COM(2020) 595 final.

(2)  COM(2020) 596 final.

(3)  See Article 1(2) of the proposed regulation.

(4)  Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).

(5)  See Article 5 of the NIS Directive.

(6)  See Article 3(15) of the proposed regulation.

(7)  See Article 31(1)(d) of the proposed regulation.

(8)  See Article 15(3) of the NIS Directive.

(9)  COM(2020) 823 final.

(10)  Events that could potentially have caused harm, but were successfully prevented from fully transpiring; see Recital (39) of the NIS2 Directive.

(11)  See Article 11 of the NIS2 Directive.

(12)  Cyber threat Intelligence Information Sharing Initiative (CIISI-EU) available at the ECB’s website www.ecb.europa.eu.

(13)  See Article 42 of the proposed regulation.

(14)  See Article 8(3) of the NIS Directive.

(15)  See also Articles 11, 26 and 27 of the NIS2 Directive.

(16)  See Articles 4(b) and 13 of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(17)  See Article 22 of the Statute of the ESCB.

(18)  Regulation (EU) No 795/2014 of the European Central Bank of 3 July 2014 on oversight requirements for systemically important payment systems (ECB/2014/28) (OJ L 217, 23.7.2014, p. 16).

(19)  Available on the Bank for International Settlements’ website at www.bis.org.

(20)  Eurosystem oversight policy framework, Revised version (July 2016) available on the ECB’s website at www.ecb.europa.eu.

(21)  See the revised and consolidated Eurosystem oversight framework for electronic payment instruments, schemes and arrangements of October 2020 (PISA framework), available on the ECB’s website at www.ecb.europa.eu.

(22)  A digital payment token is a digital representation of value backed by claims or assets recorded elsewhere and enabling the transfer of value between end users. Depending on the underlying design, digital payment tokens can foresee a transfer of value without necessarily involving a central third-party and/or using payment accounts.

(23)  ‘Transfer of value’‘The act, initiated by the payer or on the payer’s behalf or by the payee, of transferring funds or digital payment tokens, or placing or withdrawing cash on/from a user account, irrespective of any underlying obligations between the payer and the payee. The transfer can involve a single or multiple payment service providers.’ This definition of ‘transfer of value’ under the PISA framework departs from the definition of a transfer of ‘funds’ under Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35). A ‘transfer of value’ in the context of a ‘payment instrument’ as defined in that Directive can only refer to a transfer of ‘funds’. Under that Directive, ‘funds’ do not include digital payment tokens unless the tokens can be classified as electronic money (or more hypothetically as scriptural money).

(24)  Directive 98/26/EC of the European Parliament and of the Council of 19 May 1998 on settlement finality in payment and securities settlement systems (OJ L 166, 11.6.1998, p. 45).

(25)  See Article 28(5) of the proposed regulation.

(26)  See paragraph 1.3 of Opinion of the European Central Bank of 19 February 2021 on a proposal for a regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 (CON/2021/4). All ECB Opinions are published in EUR-Lex.

(27)  See Annex IIa to Guideline ECB/2012/27 of the European Central Bank of 5 December 2012 on a Trans-European Automated Real-time Gross settlement Express Transfer system (TARGET2) (OJ L 30, 30.1.2013, p. 1). Guideline ECB/2012/13 of the European Central Bank of 18 July 2012 on TARGET2-Securities (OJ L 215, 11.8.2012, p. 19); Decision ECB/2011/20 of the European Central Bank of 16 November 2011 establishing detailed rules and procedures for implementing the eligibility criteria for central securities depositories to access TARGET2-Securities services (OJ L 319, 2.12.2011, p. 117). See also the T2S Framework Agreement and the Collective Agreement.

(28)  See Annex IIb to Guideline ECB/2012/27.

(29)  See Article 30(5) of Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1) and Article 68 of Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (OJ L 65, 10.3.2017, p. 48).

(30)  Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1).

(31)  Eurosystem oversight policy framework, Revised version (July 2016) available on the ECB’s website at www.ecb.europa.eu.

(32)  Available on the Bank for International Settlements’ website at www.bis.org.

(33)  Available on the ECB’s website at www.ecb.europa.eu.

(34)  See Article 12 of Regulation (EU) No 909/2014.

(35)  See also Article 13, and Articles 17(4) and 22(6) of Regulation (EU) No 909/2014.

(36)  See paragraph 7.3 of Opinion of the European Central Bank of 6 April 2017 on the identification of critical infrastructures for the purpose of information technology security (CON/2017/10); paragraph 7.2 of Opinion of the European Central Bank of 8 November 2018 on designation of essential services and operators of essential services for the purpose of network and information systems security (CON/2018/47); paragraph 3.5.2 of Opinion of the European Central Bank of 2 May 2019 on the security of network and information systems (CON/2019/17); and paragraph 3.5.2 of Opinion of the European Central Bank of 11 November 2019 on the security of network and information systems (CON/2019/38).

(37)  See Article 54(5) of the proposed regulation and Article 45(7) of Regulation (EU) No 909/2014.

(38)  See Article 54(4) of the proposed regulation and Article 45(6) of Regulation (EU) No 909/2014.

(39)  See Article 11(5) of the proposed regulation.

(40)  See Article 78(3) of Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 of the European Parliament and of the Council with regard to regulatory technical standards on authorisation, supervisory and operational requirements for central securities depositories (OJ L 65 10.3.2017, p. 48).

(41)  See Article 11(6) of the proposed regulation.

(42)  See Article 3(17) of the proposed regulation.

(43)  See Article 76(2)(d) and (e) of Commission Delegated Regulation (EU) 2017/392.

(44)  See Article 78(2) and (3) of Commission Delegated Regulation (EU) 2017/392.

(45)  See Article 1(4) of Regulation (EU) No 909/2014.

(46)  Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

(47)  See Article 18(2)(g) and (h) of EMIR.

(48)  See Article 53(2)(b) and (3) of the proposed regulation and Article 34(3) of EMIR.

(49)  See Article 53(2)(a) of the proposed regulation.

(50)  See Article 34 of EMIR.

(51)  See CPMI-IOSCO Principles for Financial Market Infrastructures available on the website of the Bank for International Settlements: www.bis.org.

(52)  Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).

(53)  See Articles 4(1)(e) and 6(4) of Regulation (EU) No 1024/2013.

(54)  Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

(55)  Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

(56)  See Recital (8) of the proposed regulation.

(57)  See Recital (11) of the proposed regulation.

(58)  See Recital (12) of the proposed regulation.

(59)  See Recitals (4) and (5) of the proposed amending directive.

(60)  See Article 85 of the Capital Requirements Directive.

(61)  See Article 4(1) of the proposed regulation.

(62)  See Article 25(3)(4) of the proposed regulation.

(63)  See Article 41 of the proposed regulation.

(64)  See Section II of Chapter V of the proposed regulation.

(65)  See Section II of Chapter V of the proposed regulation.

(66)  See title of Chapter II, Section 4, “Prudential requirements” of the CSD Regulation.

(67)  See Recital (4) of the proposed amending directive.

(68)  Article 85 of Directive 2013/36/EU is a mere specification. In this regard, please see also pages 4, 11 and 37 of the European Banking Authority Guidelines on ICT and security risk management of 29 November 2019 (hereinafter the “EBA Guidelines”), where the general legal basis is expressly found in Article 74 of Directive 2013/36/EU.

(69)  See Article 41(1) of the proposed regulation.

(70)  See Article 25(3) and (4) of the proposed regulation.

(71)  See also Article 109 of the Capital Requirements Directive.

(72)  See Article 4(1)(e) of the SSM Regulation.

(73)  See Article 85 of the Capital Requirements Directive.

(74)  Regulation (EU) No 468/2014 of the European Central Bank of 16 April 2014 establishing the framework for cooperation within the Single Supervisory Mechanism between the European Central Bank and national competent authorities and with national designated authorities (SSM Framework Regulation) (ECB/2014/17) (OJ L 141, 14.5.2014, p. 1).

(75)  Specifically, a cyber incident (an identified possible breach of information security, whether malicious or accidental) must be reported to the ECB if at least one of the following conditions is met: (1) there is a potential financial impact of €5 million or 0.1% of CET1; (2) the incident is publicly reported or causes reputational damage; (3) the incident was escalated to the CIO outside of the regular reporting; (4) the bank notified the incident to the CERT/CSIRT, a security agency or the police; (5) disaster recovery or business continuity procedures have been triggered or a cyber insurance claim has been filed; (6) there has been a breach of legal or regulatory requirements; or (7) the bank uses internal criteria and expert judgement (including a potential systemic impact) and decides to inform the ECB.

(76)  See Article 7(3) of the proposed regulation.

(77)  See Article 10(9) of the proposed regulation.

(78)  See Article 5(10) of the proposed regulation.

(79)  See Article 7 of the proposed regulation.

(80)  See Article 19 of the proposed regulation.

(81)  See Articles 3(7), 17 and 18 of the proposed regulation.

(82)  See for example the Framework.

(83)  Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35).

(84)  See Article 7(9) of the proposed amending directive.

(85)  See Article 17(3) of the proposed regulation.

(86)  See Article 20 of the proposed regulation.

(87)  See Articles 21 and 22 of the proposed regulation.

(88)  See Article 22(1) of the proposed regulation.

(89)  Available on the ECB’s website at www.ecb.europa.eu.

(90)  Articles 23 and 24 of the proposed regulation.

(91)  See Article 28(3) of the proposed regulation.

(92)  See Article 28(2) of the proposed regulation.

(93)  See Article 29 of the proposed regulation.

(94)  See Article 29(3) of the proposed regulation.

(95)  See Article 35 of the proposed regulation.

(96)  See Article 39(1) of the proposed regulation.

(97)  See Article 29(4) and Article 37 of the proposed regulation.

(98)  See Article 37(3) of the proposed regulation.

(99)  See Judgment of the Court (Grand Chamber), 22 January 2014 United Kingdom of Great Britain and Northern Ireland v European Parliament and Council of the European Union Regulation (EU) No 236/2012 — Case C-270/12.