Out-Law / Your Daily Need-To-Know

ECB warns about conflicts in payment system security incident notification requirements

Out-Law News | 15 Sep 2014 | 11:59 am | 2 min. read

Banks and other payment service providers (PSPs) could face "potentially conflicting requirements" on reporting cyber security incidents to regulators under proposed new EU rules, the European Central Bank (ECB) has warned.

The ECB has called on plans for a new Network and Information Security (NIS) Directive to be amended (12-page / 283KB PDF) to account for existing rules and procedures PSPs are subject to on assessing cyber security risk and notifying regulators of incidents they identify.

It said "procedures for early warnings and coordinated responses" have already been established in relation to "systemically important payment systems" and "deal with possible cyber-security threats". There are "existing oversight arrangements", involving financial regulators, for these procedures, it added.

"The assessment of security arrangements and incident notifications for payment and settlement systems and payment service providers (PSPs) is one of the core competences of prudential supervisors and central banks," the ECB said in a new opinion it has issued on the draft NIS Directive. "Responsibility for developing oversight requirements in the abovementioned areas should therefore remain with these authorities, and should not be subject to potentially conflicting requirements imposed by other national authorities."

"Furthermore, risk management, including security requirements in respect of payment and settlement systems and other market infrastructures within the euro area, is set by the Eurosystem, comprising the ECB and NCBs (national central banks) from those member states that have adopted the euro. Through this oversight function, the Eurosystem aims to ensure the smooth functioning of payment and settlement systems by applying … appropriate oversight standards and minimum requirements. The proposed directive should take into account the oversight framework already in place and ensure regulatory consistency across the Union," it said.

The NIS Directive was first proposed last year by the European Commission with the aim of ensuring operators of critical national infrastructure meet appropriate IT security standards, share information about threats, and report certain incidents they encounter where that security has been breached.

The Directive, although still to be finalised, is set to apply to operators of critical national infrastructure in a range of sectors, including banking, telecoms and energy. Organisations subject to the new rules would have to adhere to appropriate IT security standards and report "incidents having a significant impact on the security of the core services they provide" to regulators.

An information sharing initiative on cyber security threats is also envisaged under the new Directive. In its opinion paper, the ECB said that there is a "strong case" for financial regulators in the EU to work with other bodies in the trading bloc to share information on cyber security threats and incidents under the new framework.

"There is a strong case for sharing information with the European Network and Information Security Agency or competent authorities under the proposed directive, and with the EBA (European Banking Authority) or ESMA (European Securities and Markets Authority) as the competent authority for the coordination of incidents relating to PSPs," the ECB said.