On 3 December 2018, the European Central Bank (ECB) published its cyber resilience oversight expectations for financial market infrastructures (FMIs) (the Expectations).

In June 2016, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) published Guidance on cyber resilience for financial market infrastructures (Guidance). The Expectations provides FMIs with detailed steps on how to operationalise the Guidance, ensuring they are able to foster improvements and enhance their cyber resilience over a sustained period of time. It also provides the basis for a meaningful discussion between FMIs and their regulators.

The Expectations are presented in chapters that outline five primary risk management categories and three overarching components that should be addressed across an FMI’s cyber resilience framework. The risk management categories are: (i) governance, (ii) identification; (iii) protection; (iv) detection; and (v) response and recovery. The overarching components are testing, situational awareness, and learning and evolving.