/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.

European regulators advise against one-size-fits-all cybersecurity policy

Europe's financial supervisory authorities have advised against the introduction of a coherent cyber resilience testing framework for the continent's market participants and infrastructures - at least in the short term.

  6 Be the first to comment

European regulators advise against one-size-fits-all cybersecurity policy

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The European Supervisory Authorities - the EBA, EIOPA and Esma - were asked by the European Commission to weigh in on the costs and benefits of such a framework as part of the EC Fintech Action Plan.

In their advice, the ESAs say that there are "clear benefits" to such a framework but there are "significant differences" across and within financial sectors when it comes to the maturity of cybersecurity, meaning that a one-size-fits-all approach is difficult in the short term.

Instead, the ESAs suggest focusing on a minimum level of cyber-resilience across sectors that is "proportionate to the needs and characteristics of the relevant entities".

The advice does suggest a voluntary EU-wide testing framework, together with other relevant authorities taking into account existing initiatives.

The EC also asked the ESAs to provide advice on the need for legislative improvements relating to ICT risk management requirements.

Here, the advice calls for the streamlining of aspects of the incident reporting frameworks across the financial sector and also suggests a legislative approach to helping monitor the activities of critical third party service providers.

While welcoming many aspects of the advice, Lorraine Johnston, regulatory counsel at law firm Ashurst, highlights one "glaring" omission: the lack of advice relating to board governance of ICT and cyber resilience.

Says Johnston: "Until ICT and cyber security sit squarely as a board level responsibility, some of these issues will remain to be seen as 'IT helpdesk' problems."

Sponsored New Event Report – Natural Capital Finance

Comments: (0)

[On-Demand Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming MandatesFinextra Promoted[On-Demand Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates