ECB published an opinion on the proposal for a regulation on digital operational resilience for the financial sector. The opinion has been published in response to requests from the European Council and Parliament. In the opinion, ECB welcomes the proposed regulation, which is intended to enhance cyber security and operational resilience of the financial sector in EU. ECB welcomes the aim of the proposed regulation to remove obstacles to, and improve the establishment and functioning of, the internal market for financial services by harmonizing the rules applicable in the area of information and communication technology (ICT) risk management, reporting, testing, and ICT third-party risk.
ECB welcomes the aim of the proposed regulation to streamline and harmonize any overlapping regulatory requirements or supervisory expectations to which financial entities are currently subject under the EU law. ECB understands that the proposed regulation intends to set forth a prudential internal governance framework for the management of ICT risk, which will be integrated into the general internal governance framework under the Capital Requirements Directive. Moreover, given the prudential nature of the proposed framework, the competent authorities responsible for supervision of compliance with the obligations set out under the proposed framework, including ECB, will be the authorities responsible for banking supervision, in accordance with the Single Supervisory Mechanism (SSM) Regulation.
ECB supports the effort of the EU legislative bodies to promote harmonization and streamline the set of rules and obligations applicable to credit institutions on incident reporting. In view of this, ECB stands ready to amend (and potentially repeal) the Incident Reporting Framework, where necessary, in the light of the eventual adoption of the proposed regulation. In its opinion, ECB sets out the following specific observations on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk:
- ECB welcomes the introduction by the proposed regulation of a robust and comprehensive ICT risk management framework that encompasses the CPMI-IOSCO guidance on cyber resilience and is closely aligned to best practices, including the Eurosystem Cyber Resilience Oversight Expectations for financial market infrastructures. In relation to the identification and classification to be performed by financial entities under the proposed regulation, ECB would consider it prudent, for the purposes of the classification of assets, that the proposed regulation also require financial entities to consider the criticality of such assets (that is whether they support critical functions).
- ECB welcomes the efforts outlined in the proposed regulation to harmonize the ICT incident reporting landscape in EU and work toward a centralized reporting of major ICT-related incidents. ECB emphasizes that the responsibility for, and ownership of, the remediation and the consequences of an incident should remain solely and clearly with the concerned financial entity. ECB would, therefore, propose to limit the feedback and guidance to high-level prudential feedback and guidance only.
- ECB welcomes the requirements set out under the proposed regulation on digital operational resilience testing across financial entities and the need for each institution to have its own testing program. ECB proposes to remove, from the proposed regulation, any obligation for competent authorities regarding the validation of documents and the issuance of an attestation for a threat-led penetration testing.
- ECB welcomes the introduction of a comprehensive set of key principles and a robust oversight framework to identify and manage ICT risks stemming from ICT third-party service providers, regardless of whether these belong to the same group of financial entities. Having said that, to achieve an effective ICT risk identification and management, it is important to correctly identify and classify the critical ICT third-party service providers. In this regard, while the introduction of delegated acts that will supplement the criteria to be used for classification purposes is welcome, ECB should be consulted prior to the adoption of such delegated acts.
Related Link: Opinion (PDF)
Keywords: Europe, EU, Banking, Operational Resilience, ICT Risk, Incident Reporting, Operational Risk, Third-Party Risk, SSM, CRD, Basel, Cyber Resilience, Cybersecurity, Fintech, Opinion, ECB
The European Banking Authority (EBA) published the final draft regulatory technical standards specifying and, where relevant, calibrating the minimum performance-related triggers for simple.
The European Central Bank (ECB) is undertaking the integrated reporting framework (IReF) project to integrate statistical requirements for banks into a standardized reporting framework that would be applicable across the euro area and adopted by authorities in other EU member states.
The European Banking Authority (EBA) has been awarded the top European Standard for its environmental performance under the European Eco-Management and Audit Scheme (EMAS).
The Monetary Authority of Singapore (MAS) set out the Financial Services Industry Transformation Map 2025 and, in collaboration with the SGX Group, launched ESGenome.
The Basel Committee on Banking Supervision met, shortly after a gathering of the Group of Central Bank Governors and Heads of Supervision (GHOS), the oversight body of BCBS.
The International Organization of Securities Commissions (IOSCO) welcomed the work of the international audit and assurance standard setters—the International Auditing and Assurance Standards Board (IAASB)
The Bank of England (BoE) published a Statistical Notice (2022/18), which informs that due to the Bank Holiday granted for Her Majesty Queen Elizabeth II’s State Funeral on Monday September 19, 2022.
The French Prudential Control and Resolution Authority (ACPR) announced that the European Banking Authority (EBA) has updated its filing rules and the implementation dates for certain modules of the EBA reporting framework 3.2.
The European Central Bank (ECB) published a paper that examines how credit rating agencies accepted by the Eurosystem, as part of the Eurosystem Credit Assessment Framework (ECAF)
The Australian Prudential Regulation Authority (APRA) announced reduction in the aggregate Committed Liquidity Facility (CLF) for authorized deposit-taking entities to ~USD 33 billion on September 01, 2022.