ECB Issues Opinion on Proposed Rule on Digital Operational Resilience

ECB welcomes the aim of the proposed regulation to streamline and harmonize any overlapping regulatory requirements or supervisory expectations to which financial entities are currently subject under the EU law. ECB understands that the proposed regulation intends to set forth a prudential internal governance framework for the management of ICT risk, which will be integrated into the general internal governance framework under the Capital Requirements Directive. Moreover, given the prudential nature of the proposed framework, the competent authorities responsible for supervision of compliance with the obligations set out under the proposed framework, including ECB, will be the authorities responsible for banking supervision, in accordance with the Single Supervisory Mechanism (SSM) Regulation. 

ECB supports the effort of the EU legislative bodies to promote harmonization and streamline the set of rules and obligations applicable to credit institutions on incident reporting. In view of this, ECB stands ready to amend (and potentially repeal) the Incident Reporting Framework, where necessary, in the light of the eventual adoption of the proposed regulation. In its opinion, ECB sets out the following specific observations on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk:

• ECB welcomes the introduction by the proposed regulation of a robust and comprehensive ICT risk management framework that encompasses the CPMI-IOSCO guidance on cyber resilience and is closely aligned to best practices, including the Eurosystem Cyber Resilience Oversight Expectations for financial market infrastructures. In relation to the identification and classification to be performed by financial entities under the proposed regulation, ECB would consider it prudent, for the purposes of the classification of assets, that the proposed regulation also require financial entities to consider the criticality of such assets (that is whether they support critical functions).
• ECB welcomes the efforts outlined in the proposed regulation to harmonize the ICT incident reporting landscape in EU and work toward a centralized reporting of major ICT-related incidents. ECB emphasizes that the responsibility for, and ownership of, the remediation and the consequences of an incident should remain solely and clearly with the concerned financial entity. ECB would, therefore, propose to limit the feedback and guidance to high-level prudential feedback and guidance only.
• ECB welcomes the requirements set out under the proposed regulation on digital operational resilience testing across financial entities and the need for each institution to have its own testing program. ECB proposes to remove, from the proposed regulation, any obligation for competent authorities regarding the validation of documents and the issuance of an attestation for a threat-led penetration testing.
• ECB welcomes the introduction of a comprehensive set of key principles and a robust oversight framework to identify and manage ICT risks stemming from ICT third-party service providers, regardless of whether these belong to the same group of financial entities. Having said that, to achieve an effective ICT risk identification and management, it is important to correctly identify and classify the critical ICT third-party service providers. In this regard, while the introduction of delegated acts that will supplement the criteria to be used for classification purposes is welcome, ECB should be consulted prior to the adoption of such delegated acts.

Related Link: Opinion (PDF)

Keywords: Europe, EU, Banking, Operational Resilience, ICT Risk, Incident Reporting, Operational Risk, Third-Party Risk, SSM, CRD, Basel, Cyber Resilience, Cybersecurity, Fintech, Opinion, ECB