ESAs publish Joint Advice on ICT risk management and cybersecurity
The European Supervisory Authorities (ESAs) yesterday published two pieces of Joint Advice in response to requests made by the European Commission in its March 2018 FinTech Action Plan:
- Joint Advice on the need for legislative improvements relating to Information and Communication Technology (ICT) risk management requirements in the European Union (EU) financial sector
- Joint Advice on the costs and benefits of a coherent cyber resilience testing framework for significant market participants and infrastructureswithin the EU financial sector
Regarding the need for legislative improvements, in developing the Joint Advice the ESAs’ objective was that every relevant entity should be subject to clear general requirements on governance of ICT, including cybersecurity, to ensure the safe provision of regulated services. Guided by this objective, the proposals presented in the Advice aim at promoting stronger operational resilience and harmonisation in the EU financial sector by applying changes to their respective sectoral legislation. Incident reporting is highly relevant to ICT risk management and allows relevant entities and authorities to log, monitor, analyse and respond to ICT operational, ICT security and fraud incidents. Therefore, the ESAs call for streamlining aspects of the incident reporting frameworks across the financial sector. Furthermore, the ESAs suggest that a legislative solution for an appropriate oversight framework to monitor the activities of critical third party service providers should be considered.
Regarding the costs and benefits of a coherent cyber resilience testing framework, the ESAs see clear benefits of such a framework. However, at present there are significant differences across and within financial sectors as regards the maturity level of cybersecurity. In the short-term, the ESAs advise to focus on achieving a minimum level of cyber-resilience across the sectors, proportionate to the needs and characteristics of the relevant entities. Furthermore, the ESAs propose to establish on a voluntary basis an EU wide coherent testing framework together with other relevant authorities taking into account existing initiatives, and with a focus on Threat Lead Penetration Testing (TLPT). In the long-term, the ESAs aim to ensure a sufficient cyber maturity level of identified cross-sector entities.
To implement the proposed actions, the ESAs highlight the required legal basis and explicit mandate, which is necessary for the development and implementation of a coherent resilience testing framework across all financial sectors by the ESAs in cooperation with other relevant authorities.
The European Commission's March 2018 FinTech Action Plan specifically requests the ESAs:
- To map, by Q1 2019, the existing supervisory practices across financial sectors around ICT security and governance requirements, and where appropriate a) to consider issuing guidelines aimed at supervisory convergence and enforcement of ICT risk management and mitigation requirements in the EU financial sector and, b) if necessary, provide the Commission with technical advice on the need for legislative improvements.
- To evaluate, by Q4 2018 (now Q1 2019), the costs and benefits of developing a coherent cyber resilience testing framework for significant market participants and infrastructures within the whole EU financial sector.
Joint ESA Advice on The Need For Legislative Improvements Relating to ICT Risk Management Requirements
Joint ESA Advice on The Costs And Benefits of Developing a Coherent Cyber Resilience Testing Framework For Significant Market Participants And Infrastructures
Latest News from
Public consultation: appropriate age for introduction of complementary feeding of infants19/04/2019 09:25:00
EFSA is seeking feedback from stakeholders and other interested parties on its scientific opinion on the appropriate age for introduction of complementary feeding of infants.
Stronger EU borders with a new standing corps of 10,000 border guards18/04/2019 15:25:00
TheEuropean Parliament hasadopted the ECs proposal to reinforce the European Border and Coast Guard Agency with a standing corps of 10,000 border guards by 2027.
European Parliament's vote on new rules to improve fairness & transparency of online platforms18/04/2019 13:37:00
The European Parliament has approved the new Regulation on platform-to-business trading practices that is aimed at establishing a fair, trusted and innovation-driven environment for businesses and traders when using online platforms.
WTO Boeing dispute: EU issues preliminary list of U.S. products considered for countermeasures18/04/2019 12:25:00
The EC has launched a public consultation on a preliminary list of products from the USA on which the EU may take countermeasures in the context of the ongoing Boeing dispute at the World Trade Organisation (WTO).
Registered substances mapped for regulatory action18/04/2019 09:25:00
The first report of the Integrated Regulatory Strategy presents a mapping of the universe of registered substances that are on the EU market. This information helps authorities to identify, plan and monitor the progress on identifying and regulating substances of concern.
The United States is Europe's main soya beans supplier with imports up by 121%17/04/2019 16:25:00
New figures released by the EC, show that imports of U.S. soya beans by the EU increased by 121% over the current market year (July 2018 to mid-April 2019), compared to the same period in the previous year.
EC updates the EU Air Safety List to maintain highest level of protection for passengers17/04/2019 15:37:00
The EC has updated the EU Air Safety List, the list of airlines that do not meet international safety standards, and are therefore subject to an operating ban or operational restrictions within the EU.
EC launches debate on more efficient decision-making in EU social policy17/04/2019 13:25:00
In his 2018 State of the Union speech, President Juncker announced a comprehensive review of all passerelle clauses provided for by the EU Treaties. As a result, three Communications have already been adopted: on common foreign and security policy (September 2018), on taxation (January 2019) and on energy and climate (April 2019). The Communication on the passerelle clauses in social policy is the fourth one.
EC welcomes adoption of new measures denying terrorists & criminals the means and space to act17/04/2019 12:37:00
The European Parliament has adopted 2 important Security Union legislative initiatives proposed by the EC on interoperability and explosive precursors.