Joint Advice of the European Security Authorities on the need for legislative improvement relating to ICT risk-management requirements in the EU financial sector

On the 10th of April, the European Supervisory Authorities (‘ESAs’), in tandem, following a thorough analysis of the EU legislative framework in the field of ICT and cybersecurity, issued a joint advice to the European Commission on the necessary improvement of certain legislative provisions related to ICT risk management, whilst promoting the need for an increase in the harmonisation of the area, through common minimum requirements centred on ICT risk management.

The ESAs issued several sectoral proposals:

  1. Within the banking and payments sector, that provisions covering operational resilience as a requirement relating to governance be added to both the Capital Requirements Directive, and to the second Payment Services Directive;
  2. Within the insurance and re-insurance sector, that provisions on operational resilience as a governance requirement be added to the Solvency II Directive;
  3. Within the securities market, that legislation specifically referring to cybersecurity be added to legislative areas lacking such references, furthermore incident reporting requirements should also be introduced to the Central Securities Depository Regulation, to the EMIR, MIFID, as well as to the Credit Rating Agency Regulation.

Moreover, the ESA’s issued several cross-sectoral proposals:

  1. The clarification of overlapping provisions and standardising rules where possible in relation to existing incident reporting requirements.
  2. The consideration of a legislative solution that monitors the activities of third-party providers when they are critical service providers to relevant entities.


Ranked in