ESAs publish Joint Advice on ICT risk management and cybersecurity
The European Supervisory Authorities (ESAs) yesterday published two pieces of Joint Advice in response to requests made by the European Commission in its March 2018 FinTech Action Plan:
- Joint Advice on the need for legislative improvements relating to Information and Communication Technology (ICT) risk management requirements in the European Union (EU) financial sector
- Joint Advice on the costs and benefits of a coherent cyber resilience testing framework for significant market participants and infrastructureswithin the EU financial sector
Regarding the need for legislative improvements, in developing the Joint Advice the ESAs’ objective was that every relevant entity should be subject to clear general requirements on governance of ICT, including cybersecurity, to ensure the safe provision of regulated services. Guided by this objective, the proposals presented in the Advice aim at promoting stronger operational resilience and harmonisation in the EU financial sector by applying changes to their respective sectoral legislation. Incident reporting is highly relevant to ICT risk management and allows relevant entities and authorities to log, monitor, analyse and respond to ICT operational, ICT security and fraud incidents. Therefore, the ESAs call for streamlining aspects of the incident reporting frameworks across the financial sector. Furthermore, the ESAs suggest that a legislative solution for an appropriate oversight framework to monitor the activities of critical third party service providers should be considered.
Regarding the costs and benefits of a coherent cyber resilience testing framework, the ESAs see clear benefits of such a framework. However, at present there are significant differences across and within financial sectors as regards the maturity level of cybersecurity. In the short-term, the ESAs advise to focus on achieving a minimum level of cyber-resilience across the sectors, proportionate to the needs and characteristics of the relevant entities. Furthermore, the ESAs propose to establish on a voluntary basis an EU wide coherent testing framework together with other relevant authorities taking into account existing initiatives, and with a focus on Threat Lead Penetration Testing (TLPT). In the long-term, the ESAs aim to ensure a sufficient cyber maturity level of identified cross-sector entities.
To implement the proposed actions, the ESAs highlight the required legal basis and explicit mandate, which is necessary for the development and implementation of a coherent resilience testing framework across all financial sectors by the ESAs in cooperation with other relevant authorities.
The European Commission's March 2018 FinTech Action Plan specifically requests the ESAs:
- To map, by Q1 2019, the existing supervisory practices across financial sectors around ICT security and governance requirements, and where appropriate a) to consider issuing guidelines aimed at supervisory convergence and enforcement of ICT risk management and mitigation requirements in the EU financial sector and, b) if necessary, provide the Commission with technical advice on the need for legislative improvements.
- To evaluate, by Q4 2018 (now Q1 2019), the costs and benefits of developing a coherent cyber resilience testing framework for significant market participants and infrastructures within the whole EU financial sector.
Joint ESA Advice on The Need For Legislative Improvements Relating to ICT Risk Management Requirements
Joint ESA Advice on The Costs And Benefits of Developing a Coherent Cyber Resilience Testing Framework For Significant Market Participants And Infrastructures
Latest News from
Energy taxation: Council calls for an updated framework contributing to a climate neutral EU06/12/2019 16:15:00
The conclusions are a direct response to the European Council's call to advance work on the conditions, incentives and enabling framework to ensure a transition to a climate-neutral EU, in line with the Paris Agreement.
Financial architecture for development: Council adopts conclusions on the way forward06/12/2019 15:15:00
The conclusions follow up and build on the report by the Wise Persons' group that was established in April 2019 with the aim of recommending possible options for reforming the existing setup for financing development policies.
Joint statement by the Council and the Commission on "stablecoins"06/12/2019 14:15:00
The Council and the EC adopted the following statement:
Money laundering: Council sets strategic priorities for further reforms06/12/2019 13:15:00
The conclusions are a direct response to the EU strategic agenda for 2019-2024 where the European Council calls for "strengthening our fight against terrorism and cross-border crime, improving cooperation and information-sharing and further developing our common instruments".
Capital markets union: Council sets objectives for the deepening of the project06/12/2019 12:15:00
CMU is an EU initiative which aims to deepen and further integrate the capital markets of EU member states. Together with the banking union, the CMU can help boost cross-border capital flows and thereby strengthen the EU economy.
Deepening the EMU: President Centeno's report to the President of the Euro Summit06/12/2019 11:15:00
The President of the Eurogroup, Mario Centeno, has sent a letter to the President of the Euro Summit, Charles Michel, to report on the progress achieved by the Eurogroup on the deepening of the economic and monetary union (EMU).
Leveraging the rail sector for green growth at local and regional level06/12/2019 09:10:00
Local and regional leaders highlight the potential of the rail sector for the EU Green Deal and other key EU policy priorities
Globalisation: how the EU’s trade policy helps to promote human rights05/12/2019 16:10:00
Growing global competition can endanger human rights by for example leading to worker exploitation. The EU uses its trade policy to promote & protect human rights in non-EU countries through preferential trade deals, as well as unilateral trade restrictions.
Malta: MEPs conclude fact-finding visit to assess Caruana Galizia murder inquiry05/12/2019 15:20:00
Following recent developments in the investigation into the murder of Daphne Caruana Galizia in 2017, MEPs visited Malta between 3-4 December to take stock of the situation on the ground.
We need an EU strategy in social and affordable housing, says EESC05/12/2019 14:02:00
The European Economic and Social Committee (EESC) calls for more robust EU housing policies and, at a public conference held in Brussels on 4 December 2019, has asked the EU to adopt urgent common measures in this field: housing policies at European level must make affordable houses available for all Europeans.