The Guidelines will apply as of 1 January 2022.
The EBA acknowledges the ongoing negotiations of the EU Commission’s proposal for an EU regulatory framework on digital operational resilience (DORA), which contains, inter alia, a proposal to harmonise and streamline the reporting of ICT-related incidents, not only for payment services but across the entire EU finance sector (see our publication on DORA here). The EBA will continue monitoring these negotiations.
Depending on the outcome, the EBA Guidelines may eventually be repealed and replaced with the DORA Regulation, which is currently estimated to apply from 2024.
The revised Guidelines
The most relevant amendments of the Guidelines are the following.
- New classification criterion
The revised Guidelines introduce changes to some of the original classification criteria and introduce a new criterion on the breach of security of network or information systems, which, following the feedback from the public consultation, was narrowed down in scope from ‘breach of security measures’, as originally proposed.
After assessing these responses, the EBA arrived at the view that the proposal of the new criterion should be reconsidered, since the proposed criterion is indeed rather broad and may cover unintentional operational incidents. This would result in additional incidents to be reported by PSPs that would be of limited use to NCAs, which in turn would be contrary to the objective of the revision of the Guidelines.
The EBA, therefore, assessed a few options on how to proceed and, at the end, decided that “focus the criterion on ‘breach of security of network or information systems” is the most appropriate way to address the concerns raised by the respondents and to meet the objective of capturing additional security incidents that may be of interest to NCAs.
A detailed description of this criterion has therefore been introduced in Guideline 1.3.
In particular, this (new) criterion focuses on malicious actions that have compromised network or information systems related to the provision of payment services and it would allow the reporting of additional security incidents that would be of interest to supervisors.
- Timeline for classification of incidents
To reduce the reporting burden on PSPs, the EBA removed unnecessary steps from the reporting process and allowed more time for the submission of the final report to the NCA.
The EBA proposed in the consultation paper changes in the Guidelines in order to clarify that the four‐hour deadline for submission of an incident report from PSPs to NCAs applies after the incident has been classified as major against the criteria set in the Guidelines.
A few respondents commented on the timeline for classification of the incidents and, that additional clarity is needed on the deadline that should apply to the classification of the incidents after they are detected.
To address these concerns, the EBA further clarified in Guideline 2.9 that the classification of the incident should take place within 24 hours of its detection, inter alia to avoid situations where PSPs might take an excessively long time to classify the incidents.
The EBA also clarified in the same Guideline that, on the rare occasions when the incident cannot be classified within 24 hours, the PSP should justify to the NCA why this has been the case.
- Number of reports and deadline
In order to simplify the incident reporting process and reducing the notification burden on PSPs, the requirement to provide an update of the intermediate report every three days until the major incident is being resolved was removed from the Guidelines.
In addition, the revised Guidelines now provide:
- that PSP should submit an intermediate report to the NCA if regular activities have been restored and business is back to normal, in line with Guideline 2.12 (previous Guideline 2.13);
- in the event that the PSP becomes aware of significant change to the information provided with an intermediate report (including the specific case where the incident has not been resolved in three working days but at a later stage), the PSP should submit another intermediate report (Guideline 2.14). This additional intermediate report has no specific deadline for its submission and is based on the assessment of the PSP.
- an extension of the deadline for the submission of the final report from 2 weeks to maximum 20 working days.
- Thresholds and calculation methods for the criteria of ‘transactions affected’ and ‘payment services users affected’
As proposed in the consultation paper, the revised Guidelines:
- increase the thresholds of the incident classification criteria: ‘Transactions affected, in relation to this, the EBA has increased the total amount of transactions affected with lower impact level from; 100,000 EUR to 500,000 EUR, and from 5 million EUR to 15 million EUR for higher impact;
- amend the criteria to the assessment of the lower impact level of the ‘transactions affected’ by using the percentage and the absolute amount thresholds as alternatives, but also adding a condition where if the incident is of an operational nature and relates to the inability of the PSP to initiate and/or process transactions, the incident must have a duration of at least one hour.
The same changes applies to the lower impact level of the ‘payment services users affected’.
- Reporting standardisation
The EBA also simplified and optimised the standardised reporting template in Annex I.
Should you have any questions about the above, please do not hesitate to contact one of the members of the Bird & Bird global payments team.
If you would like to receive our regular Payments alerts in your inbox, click here.
If you would like to read Bird & Bird’s previous alerts, please check out our Payments In Focus webpage here.