On 10 June 2021, the European Banking Authority (EBA) published its final revised Guidelines on major incident reporting under the Payment Service Directive (PSD2) - (the “Guidelines” - EBA/GL/2021/03).
The revised Guidelines are available here.
Pursuant to article 96(3) of Directive (EU) 2015/2366 (PSD2), the original Guidelines on major incident reporting were developed in 2017 in close cooperation with the European Central Bank (ECB) and have applied since January 2018 (see our previous client alert on this topic here).
The Guidelines set out the criteria, thresholds and methodology payment services providers (PSPs) must observe in order to determine whether an operational or security incident should be considered as major, and (assuming it qualifies as major) how such an incident should be notified to their national competent authority (NCA), under Article 96(2) PSD2.
In 2020, the EBA launched the review of the Guidelines assessing the reports it had received by then. This consultation was part of the bi-annual review process of the Guidelines set forth in Article 96(4) PSD2 (see our previous client alert on this topic here).
Following this consultation, the revised Guidelines are aimed at optimising and simplifying the reporting process and templates, focusing on incidents with significant impact on PSPs, and improving the relevance of the information to be reported. The revised Guidelines are also estimated to reduce the reporting burden for PSPs.
The EBA acknowledges the ongoing negotiations of the EU Commission’s proposal for an EU regulatory framework on digital operational resilience (DORA), which contains, inter alia, a proposal to harmonise and streamline the reporting of ICT-related incidents, not only for payment services but across the entire EU finance sector (see our publication on DORA here). The EBA will continue monitoring these negotiations.
Depending on the outcome, the EBA Guidelines may eventually be repealed and replaced with the DORA Regulation, which is currently estimated to apply from 2024.
The most relevant amendments of the Guidelines are the following.
The revised Guidelines introduce changes to some of the original classification criteria and introduce a new criterion on the breach of security of network or information systems, which, following the feedback from the public consultation, was narrowed down in scope from ‘breach of security measures’, as originally proposed.
After assessing these responses, the EBA arrived at the view that the proposal of the new criterion should be reconsidered, since the proposed criterion is indeed rather broad and may cover unintentional operational incidents. This would result in additional incidents to be reported by PSPs that would be of limited use to NCAs, which in turn would be contrary to the objective of the revision of the Guidelines.
The EBA, therefore, assessed a few options on how to proceed and, at the end, decided that “focus the criterion on ‘breach of security of network or information systems” is the most appropriate way to address the concerns raised by the respondents and to meet the objective of capturing additional security incidents that may be of interest to NCAs.
In particular, this (new) criterion focuses on malicious actions that have compromised network or information systems related to the provision of payment services and it would allow the reporting of additional security incidents that would be of interest to supervisors.
To reduce the reporting burden on PSPs, the EBA removed unnecessary steps from the reporting process and allowed more time for the submission of the final report to the NCA.
The EBA proposed in the consultation paper changes in the Guidelines in order to clarify that the four‐hour deadline for submission of an incident report from PSPs to NCAs applies after the incident has been classified as major against the criteria set in the Guidelines.
A few respondents commented on the timeline for classification of the incidents and, that additional clarity is needed on the deadline that should apply to the classification of the incidents after they are detected.
To address these concerns, the EBA further clarified in Guideline 2.9 that the classification of the incident should take place within 24 hours of its detection, inter alia to avoid situations where PSPs might take an excessively long time to classify the incidents.
The EBA also clarified in the same Guideline that, on the rare occasions when the incident cannot be classified within 24 hours, the PSP should justify to the NCA why this has been the case.
In order to simplify the incident reporting process and reducing the notification burden on PSPs, the requirement to provide an update of the intermediate report every three days until the major incident is being resolved was removed from the Guidelines.
In addition, the revised Guidelines now provide:
As proposed in the consultation paper, the revised Guidelines:
The EBA also simplified and optimised the standardised reporting template in Annex I.
Should you have any questions about the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.
If you would like to receive our regular Payments alerts in your inbox, click here.
If you would like to read Bird & Bird’s previous alerts, please check out our Payments In Focus webpage here.