Guidelines on security measures for operational and security risks under the PSD2

Status: Final and translated into the EU official languages

The Guidelines have been developed in close cooperation with the European Central Bank (ECB), and are in support of the objectives of PSD2, such as strengthening the integrated payments market in the EU, mitigating the increased security risks arising from electronic payments, and promoting equal conditions for competition.

EBA consults on guidelines on ICT and security risk management

EBA consults on guidelines on ICT and security risk management

13 December 2018

The European Banking Authority (EBA) today launched a consultation on its draft Guidelines on ICT and security risk management. These Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single market. The consultation runs until 13 March 2019.

Due to a growing reliance on ICT for their operational functioning, financial institutions are vulnerable to increased threats from internal and external attacks, including cyber-attacks, or breaches that may arise from inadequate business continuity planning for ICT systems and processes, or poor processes relating to ICT change management. These Guidelines aim to mitigate all ICT risks - internal or external-, including security related risks, for all financial institutions.

The Guidelines outline expectations in relation to governance, risk assessment process, information security requirements, ICT operational management, security in the change and development processes and business continuity management to mitigate ICT and security risks. Specifically for PSPs the Guidelines cover the management of their relationship with payment service users (PSUs) to ensure that the measures implemented are well communicated to them.

The Guidelines are addressed to credit institutions and investment firms as defined in the Capital Requirements Directive (CRD), for all of their activities, and to PSPs subject to the revised Payment Services Directive (PSD2), for their payment services.

Consultation process

Comments to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 13 March 2019.

A public hearing will take place at the EBA premises on 13 February 2019 from 14:00 to 16:00 UK time. All contributions received will be published following the end of the consultation, unless requested otherwise.

Legal basis, background and next steps

These Guidelines have been developed according to Article 74 of Directive 2013/36/EU, which mandates the EBA to further harmonise institutions' governance arrangements, processes and mechanisms across the EU,  and Article 95 (3) of Directive 2015/2366, which mandates the EBA to issue guidelines with regard to the establishment, implementation and monitoring of security measures for operational and security risks, and Article 16 of Regulation (EU) No 1093/2010.

These Guidelines respond to the European Commission's FinTech Action plan request for the EBA to develop guidelines on ICT risk management and mitigation requirements in the EU financial sector.

The Guidelines on security measures for operational and security risks (EBA GL/2017/17) have been fully integrated in the EBA Guidelines on ICT and security risk management and will be repealed when the latter enter into force.

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +33 1 86 52 7052

EBA publishes final Guidelines on security measures under PSD2

EBA publishes final Guidelines on security measures under PSD2

12 December 2017

The European Banking Authority (EBA) published today its final Guidelines on security measures for operational and security risks of payments services under the revised Payment Services Directive (PSD2). These Guidelines, which the EBA developed in close cooperation with the European Central Bank (ECB), are in support of the objective of PSD2 of contributing to an integrated payments market across the European Union, promoting equal conditions for competition, and mitigating the increased security risks arising from electronic payments. This, in turn, minimises disruption to users, payment service providers and payment systems. 
 
These Guidelines aim to ensure that payment service providers have in place appropriate security measures to mitigate operational and security risks. These should include the establishment of an effective operational and security risk management framework; processes that detect, prevent and monitor potential security breaches and threats; risk assessment procedures; regular testing; and processes to raise awareness to Payment Service Users on security risks and risk-mitigating actions.
 
Following the three-month consultation period, the EBA decided to further clarify and detail some terms and aspects it had proposed in the draft Guidelines. In particular, the final Guidelines clarify the meaning of proportionality and explain why the EBA is not regulating certification processes of security measures.

Legal basis and background

These Guidelines have been drafted in accordance with Article 95 (3) of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), which mandates the EBA to issue guidelines for the purpose of the managing operational and security risks and with regard to the establishment, implementation and monitoring of the security measures, including certification processes, where relevant. 
 

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +33 1 86 52 7052