A new EU operational resilience framework for cyber security?


Our recent Law-Now article discussed the FCA, PRA and Bank of England consultations on improving financial stability in the UK markets through operational resilience. Continuing this theme, but now from the EU perspective, the EBA and EIOPA have published Guidelines to address increasing concern about the changing operational risks posed by the rise of technology and their potential impact on the stability of the EU financial markets. In its 2020 Work Programme, the Single Resolution Board (SRB) has also signalled its intent to work on policies related to financial and operational continuity for the banks subject to the SRB’s remit.

As if that wasn’t enough for everyone to digest just before Christmas, the European Commission has now launched a consultation to explore how an enhanced cross-sectoral digital operational resilience framework for the EU financial services sector could be set up.

With so much regulatory change on the theme of operational resilience and management of third-party risk, many challenges lie ahead. Until the Commission’s enhanced framework is set up, firms will have to grapple with different requirements on the same themes, each with a different scope, implementation dates and supervisory approaches. They will need to fit together the jigsaw of requirements in order to identify what needs to be addressed in their business and then create organisational change programmes to implement this in the most efficient way. This will be an onerous task, particularly for large financial services groups.


The EBA and EIOPA Guidelines are part of the regulators’ response to the European Commission’s FinTech Action Plan published in March 2018, which asked the European Supervisory Authorities (ESAs) to consider issuing Guidelines on ICT risk management and mitigation requirements in the EU financial sector. The ESAs then published Joint Advice on the need for legislative improvements relating to ICT risk management requirements in April 2019.

Unlike the EBA and EIOPA, ESMA did not specifically commit in the Joint Advice to producing guidelines on ICT, focussing instead on recommendations for legislative changes and facilitating coordination between national competent authorities.

The Commission’s new consultation is in response to the recommendations in the ESAs’ Joint Advice. The Commission says the ESAs’ assessment demonstrated that the relevant EU legislation is fragmented in terms of scope, granularity and specificity. The Commission goes on to say that ICT, security and cyber risks are major components of operational risk and there should therefore be a harmonised approach in the EU financial sector.

EBA’s final Guidelines

The EBA’s Guidelines addressed to payment service providers which have applied since January 2018 have been fully integrated into the new Guidelines and will be repealed on 30 June 2020 when the new guidelines come into effect. The new Guidelines are addressed to a broader range of financial institutions, namely payment service providers, credit institutions and investment firms. They also apply to competent authorities.

The Guidelines reflect the increasing complexity of ICT and security risks and the rising frequency of ICT and security-related incidents (including cyber incidents) and also the fact that financial institutions are interconnected, meaning that ICT and security-related incidents may have a systemic impact.

The Guidelines are compatible with the three lines of defence model, with the ICT operational units being the first line of defence. The Guidelines focus, in particular, on the responsibilities of the management body and the second line of defence (which usually includes the information security function).

The Guidelines should be read alongside other EBA guidance, namely, how supervisors should cover ICT and security risks, Guidelines on internal governance and how financial institutions should manage outsourcing.

EIOPA’s draft Guidelines

EIOPA’s draft Guidelines provide guidance to national supervisory authorities and market participants on how regulation of operational risk under Solvency II and guidance set out in EIOPA Guidelines on System and Governance apply in the case of ICT security and governance. EIOPA has taken the EBA’s Guidelines into account.

The insurance sector has an increasing reliance on ICT in the provision of insurance services and in normal operational functioning (e.g. InsureTech, IoT) as well as interconnectedness through telecommunications channels. This makes operations vulnerable to security incidents, including cyber attacks. EIOPA therefore considers it important to ensure that undertakings are adequately prepared to manage their ICT and security risks and are prepared for cyber risk.

The ICT Guidelines should be read in conjunction with EIOPA Guidelines on system of governance and EIOPA Guidelines on outsourcing to cloud service providers.

Responses to the consultation should be submitted by 13 March 2020 by responding to the survey accessed via this link.

European Commission Consultation

The Commission is attempting to bring the different pieces of the EU jigsaw puzzle together by developing a harmonised enhanced digital operational resilience framework for financial services. The Commission believes that the ICT and security risks faced by the financial sector warrant specific and more advanced co-ordinated actions.

Responses to the consultation should be submitted by 12 March 2020 via the online questionnaire set out in the consultation paper.