In line with the mandate conferred upon it by the revised Payment Services Directive (PSD2), the European Banking Authority on Thursday 27 July published its final guidelines on the classification and notification of major operational or security incidents by payment service providers.
These guidelines, which were drawn up in close collaboration with the European Central Bank on the basis of an evaluation of existing national practices, set out the criteria, thresholds and methodology to be used by payment service providers to determine whether an operational or security incident should be considered major and consequently require reporting to the competent authority of the host member state. They also allow payment service providers to delegate their incident reporting obligations to a third party, under certain conditions.
In order to minimise the disturbances caused by these incidents to users and service providers, they lay down a deadline for reports to be filed and establish a notification and reporting model to be used throughout the course of the incident.
The guidelines will begin to apply when the PSD2 Directive enters into force on 13 January 2018 and may be consulted at: http://bit.ly/2vaHHjz. (Original version in French by Marion Fontana)