Economic and Monetary Affairs MEPs adopted uniform rules for ICT risk management, reporting and resilience testing. They also want a sound monitoring of ICT third-party risk.
The new rules primarily aim to harmonise and strengthen the digital operational resilience requirements across the financial services sector, such as the requirements to protect against, detect, contain, recover from and repair information and communication technology (ICT)-related incidents. These requirements would be paired with reporting and digital testing capabilities.
The rules would apply to financial entities regulated at EU level, such as banks, payment providers, electronic money providers, investment firms, crypto-asset service providers and to ICT third-party service providers.
Risk preparedness and reporting
The ICT risk management framework should take into account significant differences between financial entities in terms of size, nature, complexity and risk profile. The framework should include strategies, policies, procedures, ICT protocols and tools to identify, prevent and protect entities from anomalous activities so that they could effectively respond and recover quickly while ensuring operational business continuity.
MEPs also decided that risk management requirements should not hamper financial entities from being innovative when they have to deal with digital operational resilience issues.
MEPs also decided that risk management requirements should not hamper innovation in dealing with digital operational resilience issues.
In order to achieve a robust ICT-related-incident reporting regime for financial entities with less administrative burden and no reporting overlaps, MEPs agreed that they should report to their competent authorities in a centralised and harmonised manner. The possibility of establishing a single EU Hub for major ICT- related incidents should be explored.
Additionally, to assess how prepared they are to deal with risk, financial entities should conduct tests identifying weaknesses, deficiencies or gaps in their digital operational resilience.
Oversight of ICT third-party risk
Financial entities may only enter into a contract with ICT service providers that have appropriate, up-to date security standards. MEPs stressed that ICT third-party service providers are crucial to the functioning of the financial sector and should therefore be properly overseen at EU level. They proposed to create a Joint Oversight Body to directly oversee critical ICT third-party service providers. Moreover, one of the European supervisory authorities (ESAs) should be designated as a Lead Overseer for each critical ICT third-party service provider to conduct and coordinate day-to-day oversight and investigative work. Additionally, critical ICT third-party service providers established in third countries would be required to be established in the EU in order to be able to enter into contractual arrangements with financial entities.
Finally, MEPs want to enhance the exchange of information and cooperation between the ESAs, national competent authorities, the Network and Information Systems Cooperation Group (NIS), national computer security incident response teams (CSIRTs) as well as the Lead Overseer and Joint Oversight Body. This is to ensure that the cyber security strategies adopted by member states are consistent, to make financial supervisors aware of cyber incidents and to enable a cross-sector learning process.
The regulation, as well as a decision to enter negotiations were adopted with 44 votes to 5 and 5 abstentions.
In a separate directive, adopted with 44 votes to 5 and 5 abstentions, MEPs agreed to amendments that bring legal clarity and consistency to existing EU financial services rules. They also ensured that the rules in the regulation and the directive are aligned with each other and gave a green light for negotiations on the directive.
“By voting in favour of this regulation and directive, shortly after NIS 2.0 and CER have been endorsed by their respective committees, the European Union will be one step closer to having a comprehensive and well-coordinated set of rules addressing ICT risk and building cyber resilience for all entities”, said Billy Kelleher (Renew, IE), responsible for the regulation.