EBA publishes revised Guidelines on how to report major incidents under PSD2
The EBA (European Banking Authority) published its final revised Guidelines on major incident reporting under the Payment Service Directive (PSD2), on 10 June 2021. The Guidelines will apply as of 1 January 2022.
In accordance with PSD2, PSPs (payment service providers) are required to report major operational or security incidents to the competent authority in their home Member State, which have, or are likely to have, an adverse impact on the provision of payment services.
The original Guidelines on major incident reporting – developed in close cooperation with the European Central Bank – were adopted in July 2017 and have applied since January 2018. Article 96(4) of PSD2 requires the EBA to review the Guidelines on a regular basis and in any event at least every two years. It therefore published a consultation paper back in October 2020 and got 29 responses, raising 82 distinct concerns. The EBA agreed with some of the proposals and their underlying arguments, and has introduced changes to the Guidelines
In the revised Guidelines, the most substantive change is related to the new classification criteria, which was changed from ‘Breach of security measures’ to ‘Breach of security of network or information systems’.
The EBA also clarified the process and timeline for classification of major incidents, the meaning of the term duration of an incident and other aspects in the Guidelines, mainly in the instructions on how to fill out the incident reporting template.
The revised Guidelines will be translated into the official EU languages and published on the EBA website. The deadline for Competent Authorities to report on whether they comply with the Guidelines will be two months after the publication of the translations: the Guidelines will apply from 1 January 2022.
Moreover, the EBA acknowledges the ongoing negotiations on the European Commission’s proposal for an EU regulatory framework on digital operational resilience (DORA). This framework contains a proposal which aims to harmonize and streamline the reporting of ICT‐related incidents across the EU finance sector. Therefore, depending on its outcome, the revised EBA Guidelines might eventually be repealed if/when DORA applies – in 2024 or later.