PRESS RELEASE

ECB publishes the cyber resilience oversight expectations

3 December 2018

  • ECB publishes final cyber resilience oversight expectations for financial market infrastructures
  • Document defines Eurosystem’s expectations in terms of cyber resilience, based on existing global guidance
  • Reflects comments received from public consultation

The European Central Bank (ECB) is today publishing the final cyber resilience oversight expectations for financial market infrastructures (FMIs). Cyber resilience is an important aspect of FMIs’ operational resilience and is thus also a factor affecting the overall resilience of the financial system and the broader economy.

The cyber resilience oversight expectations are based on the global guidance on cyber resilience for financial market infrastructures. This guidance was published by the Committee on Payments and Market Infrastructures and the Board of the International Organisation of Securities Commissions (CPMI-IOSCO) in June 2016.

The cyber resilience oversight expectations serve three key purposes:

  1. it provides FMIs with detailed steps on how to operationalise the guidance, ensuring they are able to foster improvements and enhance their cyber resilience over a sustained period of time;
  2. it provides overseers with clear expectations to assess FMIs under their responsibility; and
  3. it provides the basis for a meaningful discussion between the FMIs and their respective overseers.

The ECB received responses from 20 entities, including FMIs, banks, banking communities and associations. The ECB wishes to thank all respondents for their valuable feedback, questions and proposals for amendments.

Comments in the public consultation mostly focused on four aspects:

  • The level of prescriptiveness of the expectations;
  • The three levels of cyber maturity and how these correspond to other international cybersecurity frameworks which also have maturity models;
  • The process for oversight assessments against the cyber resilience oversight expectations; and
  • The need for harmonisation across different jurisdictions and amongst regulators, to reduce the fragmentation of regulatory expectations and facilitate oversight convergence.

The ECB has assessed all of the comments.

The document “Response to the public consultation on the cyber resilience oversight expectations” presents a high-level overview of the comments received and summarises the main amendments to the cyber resilience oversight expectations.

For media queries, please contact Alexandrine Bouilhet, tel.: +49 69 1344 8949.

Notes

The ECB promotes the safety and efficiency of payment, clearing and settlement systems in the euro area under its oversight mandate, guided by oversight regulations, standards, guidelines and expectations. At Eurosystem level, the ECB is the competent authority for the systemically important payment systems in the euro area: TARGET2, EURO1 and STEP2-T and is the lead overseer for TARGET2-Securities; oversight of other payment systems lies with the national central banks.

Media contacts