The European Commission wants all players in the financial sector — banks, investment funds, suppliers of crypto-assets— to be subject to common standards so that they can deal with the technological risks inherent to their operations.
On Thursday 24 September, the Commission therefore tabled a legislative package — a directive and a regulation — aimed at increasing and testing the risk management capabilities of financial players, subjecting providers of technological services considered to be systemic to harmonised prudential requirements, and facilitating incident reporting.
The standards that are imposed will evolve according to the risks that are involved, the size of the players, and the sectors of activity.
According to the proposal, critical ICT third-party service providers would be identified on the basis of such qualitative and quantitative criteria as their size and the financial players that are dependent on them. A service provider that has not been prima facie identified could ask to be subject to the European supervisory framework.
The European Financial Supervisory Authorities (ESMA, EBA, EIOPA) would be able to access specific documents belonging to providers considered critical, carry out inspections on their premises, issue recommendations or even instructions, and oppose certain arrangements or scenarios that would affect the stability of the financial entity using the provider’s services. It would even be possible to fine a technology service provider.
Reporting of these incidents would be between financial entities and to the competent national authorities. The three European financial supervisory authorities and the European Cyber Security Agency (ENISA) will also explore the option of setting up a European platform to collate information.
See legislative proposals: https://bit.ly/3kMTYAq (Original version in French by Mathieu Bion)