On 10 April 2019, the Joint Committee of the European Supervisory Authorities (ESAs) published two pieces of joint advice in response to requests made by the European Commission in its March 2018 FinTech Action Plan:

  • Joint Advice on the need for legislative improvements relating to Information and Communication Technology risk management requirements in the EU financial sector. Section 1.1 sets out analysis of the existing legislative requirements regarding information and communication technology (ICT) governance and security in the different sectors within the ESAs’ remit. Detailed proposals based on this analysis are in sections 2.1 and 2.2. Relevant analysed legislation is referenced in the Annexes. In carrying out their analysis of existing ICT governance and security measures, the ESAs identified two related areas that may benefit from further action at EU level: ICT incident reporting and an appropriate oversight framework for monitoring critical service providers to the extent that their activities may impact relevant entities. These issues are covered in section 2.2, which includes detailed joint ESA proposals; and
  • Joint Advice on the costs and benefits of a coherent cyber resilience testing framework for significant market participants and infrastructures within the EU financial sector. In the short term the ESAs advise to focus on achieving a minimum level of cyber-resilience across the sectors, proportionate to the needs and characteristics of the relevant entities. Furthermore, the ESAs propose to establish on a voluntary basis an EU wide coherent testing framework together with other relevant authorities taking into account existing initiatives, and with a focus on threat lead penetration testing. In the long term, the ESAs aim to ensure a sufficient cyber maturity level of identified cross-sector entities. The ESAs note that more work is needed by the ESAs together with other authorities and experts to address specific practical and policy implementation questions. Such questions could include what should be the scope and definition of ‘significant’ market participants and infrastructures?