From: Out-Law.com
Banks and other payment service providers (PSPs) could face “potentially conflicting requirements” on reporting cyber security incidents to regulators under proposed new EU rules, the European Central Bank (ECB) has warned.
The ECB has called on plans for a new Network and Information Security (NIS) Directive to be amended (12-page / 283KB PDF) to account for existing rules and procedures PSPs are subject to on assessing cyber security risk and notifying regulators of incidents they identify.
It said “procedures for early warnings and coordinated responses” have already been established in relation to “systemically important payment systems” and “deal with possible cyber-security threats”. There are “existing oversight arrangements”, involving financial regulators, for these procedures, it added.
“The assessment of security arrangements and incident notifications for payment and settlement systems and payment service providers (PSPs) is one of the core competences of prudential supervisors and central banks,” the ECB said in a new opinion it has issued on the draft NIS Directive. “Responsibility for developing oversight requirements in the abovementioned areas should therefore remain with these authorities, and should not be subject to potentially conflicting requirements imposed by other national authorities.”
Leave a Reply