Opinion on the security of network and information systems (CON/2019/17)

Transcript

1 EN ECB -PUBLIC OPINION OF THE EUROPEAN CENTRAL BANK 2019 2 May of on security of network and information systems the (CON/20 19/17) Introduction and legal basis Αρχή Ψηφιακής On 4 March 2019 the European Central Bank (ECB) received a request from the (DSA, Dig Ασφάλειας opinion on certain draft ital Security Authority) of the Republic of Cyprus for an islative provisions (hereinafter the ‘draft legisla tive provisions’) leg a draft law on the which will form part of establishment, tasks and operation of the DSA the ‘draft law’) , which will replace Law 17 (I) of (hereinafter 1 (hereinafter the ‘existing law’) . on security of network and information systems 2018 the The ECB’s competence to deliver an opinion is based on Articles 127(4) and 282(5) of the Treaty on the Functioning of the European Union and the third, fifth and sixth indents of Article 2(1) of Council Decision 2 (CBC) legislative provisions relate to the Central Bank of Cyprus , as the draft , payment and 98/415/EC settlement systems , rules applicable to financial ins titutions insofar as they materially influence the stability of financial institutions and markets, and the tasks conferred upon the ECB concerning the prudential supervision of credit institutions pursuant to Article 127(6) of the Treaty. In accordance wi th the first sentence of Article 17.5 of the Rules of Procedure of the European Central Bank, the Governing Council has adopted this opinion. Purpose of the draft law the draft legal provisions and 1. 1.1 align th e Cypriot legal framework with Directive (EU) The purpose of the draft law is to more closely 3 . The draft law will replace the existing 2016/1148 of the European Parliament and of the Council Directive (EU) 2016/1148 in 2018. law which implemented The draft law establishes the DSA, creates the national computer security incident response team 1.2 and ensures the security, integrity and resilience of electronic communications networks and 4 may (a) ensure that operators of essential . As part of its powers and tasks , the DSA services services operators of critical information infrastructures take appropriate and proportionate and technical and organi sational measures to manage the security risks of the network and information 1 Ο περί Ασφάλειας Δικτύων και Συστημάτων Πληροφοριών Νόμος του 2018 (Ν. 17( I)/2018). 2 Council Decision 98/415/EC of 29 June 1998 on the consultation of the European Central Bank by national authorities regarding draft legislative provisions (OJ L 189, 3.7.1998, p. 42). 3 Directive (EU) 2016/1148 of the European Par liament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1). 4 The draft law also transposes Directive 2002/21/EC of the European Parliam ent and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive) (OJ L 108, 24.4.2002, p. 33).

2 ECB -PUBLIC used in their activities and the se the impact systems appropriate measures to prevent and minimi of incidents affecting the security of the network and information systems used in the provision of other sanctions, (c) request for the purposes of , (b) impose administrative fines such services and its activities any relevant technical, financial and legal information from operators of essential infrastructures, (d) summon and compel the presence information services and operators of critical 5 . site inspections of witnesses in investigations, and (e) carry out on- 1.3 that where a sector -specific Union legal act requires operators of essential The draft law provides services or digital service providers either to ensure the security of their network and information systems or to notify incidents, provided that such requirements are at least equival ent in effect to the obligations laid down in the draft law , those provisions of that sector -specific Union legal act as applied in the national legal order shall apply , in accordance with Article 1(7) of Directive (EU) 2016/1148. 1.4 dentify the operators of essential services or the operators of critical The draft law does not i infrastructures, but empowers the DSA to do so by way of issuing a information decree. In the explanatory memorandum which accompanies the request for an opinion, it is noted that in the relevant critical context of determining the infrastructures, the financial sector indicated information 6 . In this regard, it is further noted that where there is in Directive (EU) 2016/1148 will be considered lex specialis , the draft law may captur e sectors which fall under the responsibility of the CBC, no such as of the CBC , systems which the CBC oversees but does not systems and infrastructures administer , and financial institutions supervised by the CBC. The draft 1.5 powers and tasks of the DSA under the draft law leg isla tive provi sions add to the is concerning of compliance with the draft law, in the interest of which the DSA monitoring the (a) of persons subj ect to supervision under other legislation and empowered to request the assistance relevant supervisory authorities and national authorities involved in supervision when such of the 7 , and (b) the power to enter into memoranda is exercised by authorities supranational supervision of understanding with operators that are governed by the draft law or other authorities, organisations, companies or supervisory authorities that cooperate with the DSA. In addition, in or otherwise cases where the CBC has been designated as an operator of critical infrastructures , such designati on may be governed by a pursuant to the draft law memorandum of understanding between the DSA and the CBC . Without prejudice to Union law, any information provided by the CBC to the DSA in the context of such cooperation does not constitute a breach of the CBC’s professional secrec y obligation. 2. Ge neral observation s 2.1 According to Article 3 of Directive (EU) 2016/1148, Directive (EU) 2016/1148 is a minimum harmonisation directive, meaning that Member States may adopt or maintain provisions with a view curity of network and information systems than provided for under to achieving a higher level of se 5 See Articles 17, 19 and 20 of the draft law. 6 See Article 4(4) of Directi ve (EU) 2016/1148. 7 See Article 17(hh) of the draft law. 2

3 ECB -PUBLIC Directive. The draft law goes beyond Directive (EU) 2016/1148 by covering critical the . This opinion infrastructures and foreseeing the designation of operators of critical infrastructures does not address whether the draft law, if adopted as proposed, would represent an effective . means of implementing Directive (EU) 2016/1148 iot law into Cypr 8 (EU) 2016/1148 of , the ECB supports the aim of Directive As previously noted by the ECB 2.2 ensuring a high common level of network and information security (NIS) across the Union and of achieving a consistency of approach in this field across business sectors and Member States. It is important to ensure that the internal market is a safe place to do busin ess and that all Member , it Concurrently States have a certain minimum level of preparedness for cybersecurity incidents. the provisions of the national legislation transposing (EU) that Directive should be ensured 9 (see paragraphs 3 to 4) and stem’s competences are coordinated with 2016/1148 the Eurosy respect the principle of central bank independence enshrined in Article 130 of the Treaty . Indeed, and i Directive (EU) 2016/1148 states that the n line with the ECB’s recommendation, recital 14 of 10 . On the Directive d oes not affect the Eurosystem’s oversight of payment and settlement systems benefit s from synergies and economies of scale. In particular, NIS other hand, dedicated national DSAs have the potential to becom e repositories of considerable resources and expertise which the in the area of NIS . Moreover, recognition of the ECB and its decision- Eurosystem may draw upon independence does not have the consequence of separating the Eurosystem making bodies’ 11 . The national implementing y rule of Union law entirely from the Union and exempting it from ever of Directive (EU) 2016/1148 measures prima facie precluded from applying to the are not Eurosystem. 2.3 he ECB welcomes the establishment of cooperation arrangements Against this background, t between the DSA and the CBC. The ECB suggests that , in the context of such cooperation, effective information- sharing mechanisms are put in place in order to enable the CBC to fulfil its nformation- also sharing arrangements will tasks under the Treaty and under national law. Such i potential cyber incidents or C exchange information on ensure that the DSA and the CB actual and financial sector ’s systems and infrastructures measures planned and adopted threats in the and on 12 . in an effective and timely manner systems and addition , the EC 2.4 In B stands ready to cooperate with the DSA in relation to the Eurosystem oversees or operates, such as payment systems, instruments infrastructures which the , and the prudential supervision of credit institutions , with a view to ensur ing that best and schemes 13 . The ECB has previously called for practices with regard to NIS are established and followed establishing such effective cooperation and information- sharing arrangements between the national 8 See paragraph 2.1 of Opinion CON/2014/58, paragraph 2.1 of Opinion CON/2017/10, paragraph 2.2 of Opinion CON/2018/22 and paragraph 2.2 of Opinion CON/2018/27. All ECB opinions are published on the ECB’s website at www.ecb.europa.eu. 9 See also paragraph 2.2 of Opinion CON/2017/10; paragraph 3.1.1 of Opinion CON/2018/22; and paragraph 2.2 of Opinion CON/2014/58. 10 See paragraph 3.1 of Opinion CON/2014/ 58 and paragraph 3.5 of Opinion CON/2017/10. 11 -11/00, ECLI:EU:C:2003:395, See judgment of the Court of Justice of 10 July 2003, Commission v ECB , C paragraphs 134 to 136. 12 See paragraphs 3.2.4 and 3.4.3 of Opinion CON/2018/22 and paragraph 4.4 of Opinion CON/2018/47. 13 See paragraph 6.3 of Opinion CON/2018/22. 3

4 ECB -PUBLIC , including the DSA, the national competent authorities , including competent authorities and other 14 . Additionally the ECB suggests through the , and, , the ECB (NCBs) national central banks NCBs ensuring that the DSA shares relevant information, through the CBC, with the ECB in a timely and 15 . respective responsibilities efficient manner within the framework of their Impact of the draft law on payment and securities settlement systems 3. 3.1 Impact of the draft law on systemically important payments systems (SIPS) has in its oversight role, on the basis of Articles 3.1 and 22 and the first indent of Article 3.1.1 The ECB 16 . 34.1 of the Statute of the ESCB, adopted Regulation (EU) No 795/2014 (ECB/2014/28) Regulation (EU) No 795/2014 (ECB/2014/28) implements the Principles for financial market (PFMIs) issue infrastructures d by the Committee on Payment and Settlement Systems (CPSS) and 17 which are legally binding and the International Organization of Securities Commissions (IOSCO) cover both large- value and retail payment systems of systemic importance, operated either by a Eurosystem central bank or a private entity. Thus, SIPS are subject to regular assessment against the requirements of Regulation (EU) No 3.1.2 18 , which allows the competent Eurosystem related to operational risk 795/2014 (ECB/2014/28) , to verify that the systems are in compliance. In cases of non- central bank, as competent authority compliance, the competent has the power to impose sanctions or Eurosystem central bank 19 . The amended Regulation (EU) No 795/2014 corrective measures to ensure compliance (ECB/2014/28) introduced a number of new requirements for SIPS operators addressing recently 20 , new risks, including those related to operational and security risks , such as cyber resilience market infrastructures taking into account, inter alia, the Guidance on cyber resilience for financial Committee on Payments and Market Infrastructures (CPMI) which was published in 2016 by the 21 . and IOSCO 3.1.3 Furthermore, in line with the requirements set out in Directive (EU) 2016/1148, Regulation (EU) No already provides competent Eurosystem central banks with the power to 795/2014 (ECB/2014/28) obtain information concerning, inter alia, major and minor incidents, the nature and type of the 14 See paragraphs 2.3 and 6.2 of Opinion CON/2018/22. 15 See paragraph 4.3 of Opinion CON/2018/27 and paragraph 6.2 of Opinion CON/2018/47. 16 Regulation (EU) No 795/2014 of the European Central Bank of 3 July 2014 on oversight requirements for systemically important payment systems (ECB/2014/28) (OJ L 217, 23.7.2014, p. 16). 17 Available on the Bank for International Settlements’ website at www.bis.org. 18 See Article 15 of Regulation (EU) No 79 5/2014 (ECB/2014/28), which imposes an obligation on SIPS operators to take steps such as: (a) establish comprehensive physical and information security policies that adequately identify, assess and manage all potential vulnerabilities and threats, (b) to ensure that critical information technology systems can resume operations within specified timeframes where an event poses a significant risk of disrupting the SIPS’ operations etc. 19 See paragraph 3.4 of Opinion CON/2017/10. 20 See Articles 15(1a) and (4a), which imposes an obligation on SIPS operators to take the following steps: (i) review, audit and test systems, operational policies, procedures and controls periodically and after significant changes; (ii) establish an effective cyber resilience framew ork with appropriate governance measures in place; (iii) identify their critical operations and supporting assets, and have appropriate measures in place to protect them from, detect, respond to and recover from cyber -attacks; (iv) regularly test the established measures; and (v) have a sound level of situational awareness of cyber threats, including through a process of continuous learning. 21 Available on the Bank for International Settlements’ website. 4

5 ECB -PUBLIC 22 incidents, their seriousness and their duration Regulation (EU) No 795/2014 . The amended powers to conduct on- competent (ECB/2 014/28) site further enhanced Eurosystem central banks’ inspections and request independent reviews of and investigations into the functioning of the 23 systems. 3.1.4 , by virtue of a decree, capt ure within the scope of the The ECB understands that the DSA may services which are provided draft law Eurosystem or using information systems operated by the operated by the CBC and overseen by the Eurosystem . 3.1.5 Among listed SIPS, TARGET2 plays a distinct role, as it is owned and operated by the 24 ECB understands that the Cypriot The Eurosystem and subject to strict regulation and oversight. , could potentially TARGET2 for which the component of TARGET2, acts as the operator -CY CBC fall within the scope of the draft law . TARGET2 has been identif ied, pursuant to Decision 25 , as a SIPS and is overseen by the ECB as a ECB/2014/35 of the European Central Bank (ECB/2014/28) . competent authority under Regulation (EU) No 795/2014 3.1.6 While SIPS may fall within the scope of the draft law, the ECB understands t hat the draft law should be without prejudice to the oversight of SIPS given that such oversight is performed on the basis of ECB regulations. As noted in paragraph 2.3, t he ECB suggests that effective information- sharing and cooperation arrangements are put in place to ensure that the DSA shares information with the CBC about actual and potential cyber incidents, as well as planned or adopted measures which may affect SIPS and TARGET2 in a timely and efficient manner in order to enable the CBC to fulfil it s tasks under the Treaty and national law. The ECB also suggests that respective sharing arrangements are established between the DSA and the ECB, cooperation and information- through the CBC. Impact of the draft law on non- SIPS 3.2 SIPS include non- systemi cally important large -value payment systems (LVPS) and non- Non- 3.2.1 retail payment systems (non- SIRPS). Under the revised oversight systemically important 26 SIRPS have been divided into two distinct groups: , non- framework for retail payment systems prominently impor tant retail payments systems (PIRPS) and other retail payments systems Cypriot local retail payment systems , JCC Payment Card System, Cyprus Clearing (ORPS). The 27 and the ECB heques and JCC SDD, have been classified as PIRPS or ORPS House for c understands that their services could be included in the list of essential services pursuant to the draft law and that might be designated as the operators of those systems or some of those systems . operators of essential services 22 See Article 21(1a) of Regulation (EU) No 795/795/ 2014 (ECB/2014/28). 23 See Articles 21(1b) and (1c) of Regulation (EU) No 795/2014 (ECB/2014/28). 24 See paragraph 3.1 of Opinion CON/2018/47. 25 Decision ECB/2014/35 of the European Central Bank of 13 August 2014 on the identification of TARGET2 as a syst emically important payment system pursuant to Regulation (EU) No 795/2014 on oversight requirements for systemically important payment systems (OJ L 245, 20.8.2014, p. 5). 26 See the Eurosystem’s ‘Revised oversight framework for retail payment systems’ (February 2016), available on the ECB’s website. 27 See the Eurosystem’s ‘Overview of payment systems’, available on the ECB’s website. 5

6 ECB -PUBLIC Under the Eurosystem’s oversight poli cy framework, non- LVPS and non- 3.2.2 systemically important and Oversight -SIRPS must additionally follow the IOSCO PFMIs SIRPS must follow the CPSS- non 28 -IOSCO PFMIs . Both the CPSS expectations for links between retail payment systems (OELRPS) and the OELRPS are soft law instruments, meaning that non- systemically important LVPS, PIRPS and ORPS are subject to oversight standards (which are comparable to the standards under Regulation (EU) No 795/2014 (ECB/2014/28) ); however there is, strictly speaking, no Union 29 . The CBC is given supervisory islation regulating the oversight or supervision of these systems leg SIPS pursuant primarily to section 48 of the and oversight competence over non- Law on the 30 31 , which in this particular respect does not implement Union ‘laws ’ as described above . CBC 3.2.3 The revised oversight framework for retail payment systems specifies that all retail payment systems are an integral part of the payment and settlement landscape of the euro area and thus fall within the scope of oversight. Hence, t he Eurosystem has an interest in ensuring that the oversight framework and standards applicable to such systems are not prejudiced through the 32 . implementation of -related laws Directive (EU) 2016/1148 or when introducing other NIS If the intention is for 3.2.4 -SIPS to be captured under the scope of the draft law , the ECB suggests non that, the same clarifications and effective information- sharing and cooperation framework as mentioned in paragraph 3.1.6 are established in relation to and between the CBC and the D , SA and if necessary, with the ECB through the CBC . 3.3 Impact of the draft law on critical service providers 33 the covers critical service providers such as 3.3.1 The revised Eurosystem oversight policy framework Society for Worldwide Interbank Financial Telecommunication (SWIFT) . SWIFT is a limited liability , which supplies secure messaging services in a large cooperative company established in Belgium Nationale Bank van België/Banque Nationale de Belgique act s as the lead number of countries. overseer of SWIFT, and conduct s, on the basis of a cooperative oversight arrangement, oversight cooperation with the other in respect of SWIFT in central banks, including the ECB. The G10 G10 overseers recogni se that the main focus of oversight is SWIFT’s operational risk, as this is considered to be the primary risk category through which SWIFT could pose a systemic risk to the financial system in the Union. In this regard, the SWIFT Cooperative Oversight Group has developed a specific set of principles and high level expectat ions that apply to SWIFT, such as risk identification and management, information security, reliability and resilience, technology planning and communication with users. The G10 overseers subject SWIFT to an intense form of oversight, specifically adheres to the CPMI -IOSCO Guidance on cyber resilience and and expect that SWIFT other international standards on IT Security, which exceed the requirements set out in Directive (EU) 2016/1148. 28 See the Eurosystem’s ‘Oversight expectations for links between retail payment systems’, available on the ECB’s website. 29 See paragraph 2.4.4 of ECB Opinion CON/2017/31 and paragraph 3.2.3 of Opinion CON/2018/22. 30 Ο περί της Κεντρικής Τράπεζας της Κύπρου Νόμος του 2002 (Ν. 138( I)/2002). 31 See also paragraph 2.4.4 of Opinion CON/2017/31 and paragraph 4.2 of Opinion CON/2018/47. 32 See paragraph 3.4.2 of Opinion CON/2018/22 and paragraph 4.3 of Opinion CON/2018/47. 33 See the Eurosystem’s ‘Eurosystem oversight policy framework’ (revised version), p. 9, available on the ECB’s website. 6

7 ECB -PUBLIC Similar to the case of non- SIPS, hat the draft law and the 3.3.2 the possibility cannot be excluded t supervisory powers of the DSA could cover critical service providers for which there are applicable oversight measures. It is therefore suggested that the Cypriot authorities take existing oversight arrangements into consideration application affect s critical in their application of the draft law, if the 34 . In the particular case of SWIFT, it is proposed that the draft law excludes service providers is established in and operated from Belg ium w ith SWIFT from its scope considering that SWIFT SWIFT are not located within Cyprus, and that infrastructure hubs that simply supplies secure messaging services in Cyprus, as well as in a vast number of other countries. 3.4 on payment services and payment instruments and sc hemes Impact of the draft law The Eurosystem oversight policy framework identifies payment instruments, such as cards, credit 3.4.1 transfers, direct debit and electronic money, as an ‘integral part of payment systems’, and thus includes these within the scope of its overs ight. For payment instruments, the role of central bank ) is assigned by reference to the national anchor of the primary overseer (for the Eurosystem payment scheme and the legal incorporation of its governance authority. For credit transfer and direct debit schemes wit hin the Single Euro Payments Area, as well as some of the international card payment schemes, the ECB has the primary oversight role. Payment service providers (PSPs) , includ credit institutions, payment institutions and electronic money institutions, a re ing 35 , which is subject to Directive (EU) 2015/2366 of the European Parliament and of the Council The applicable as of January 2018, as implemented into national law. and regulatory legal risks and incident reporting. framework set out requirements pertaining to operational and security Nevertheless whether to , prudential supervisors need to exercise careful judgment when deciding publish information concerning individual cybersecurity incidents, to ensure public confidence in the has affected institutions is no t undermined. Furthermore, the E uropean Banking Authority (EBA) produced draft guidelines on information and communication technology (ICT) and security risk 36 which are intended to harmonise standards required from payment service management as regards ICT security, incident reporting, project management and business continuity. providers While PSPs are therefore subject to Union and Cypriot regulations based on Union , and legislation legislation, the oversight of international and domestic card schemes is not subject to Union 37 . legislation as such The ECB understands that the various payment schemes and instruments and PSPs may 3.4.2 fall within the scope of the draft law . It is thus suggested that the same clarifications and potentially effective information -sharing and cooperation framework as mentioned in paragraph 3.1.6 are established in relation to and between the authorities responsible for the oversight of payment 38 . The draf t law schemes, instruments and services DSA and for the supervision of PSPs and the 34 See paragraph 3.3.1 of Opinion CON/2018/22 and paragraph 5 of Opinion CON/2018/47. 35 Directive (EU) 2015/2366 of the European Parli ament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, p. 35). 36 See EBA Guidelines on internal governance under Directive 2013/36/EU of 26 September 2017 (EBA/GL/2017/11) and EBA draft Guidelines on ICT and security risk management of 13 December 2018 (EBA/CP/2018/15) available on the EBA’s website at www.eba.europa.eu. 37 See paragraph 2.4.3 of Opinion CON/2017/31 and paragraph 3.4.2 of Opinion CON/2018/22. 38 See also paragraph 3.4.3 of Opinion CON/2018/22 and paragraph 6.2 of Opinion CON/2018/47. 7

8 ECB -PUBLIC as regards the supervision of PSPs , the DSA’s responsibilities are could also clarify that without . prejudice to and are aligned with the tasks of the CBC the draft 3.5 on central securities depositories (CSDs) Impact of law CSDs are strictly regulated and supervised by different authorities pursuant to Regulation (EU) No 3.5.1 39 , which sets out requirements pertaining 909/2014 of the European Parliament and of the Council risk. Furthermore, CSDs should take note of the CPMI -IOSCO Cyber Guidance, to operational which is applicable to all financial market infrastructures. In addition to the supervisory competences entrusted to national competent authorities (NCAs) 3.5.2 909/2014, it should be noted that national authorities, in particular the under Regulation (EU) No mbers of the ESCB, may be entrusted with oversight competences in relation to CSDs. In this me regard, recital 8 of Regulation (EU) No 909/2014 states that the Regulation should be without to ensure ef ficient and sound clearing prejudice to the responsibilities of the ECB and the NCBs and payment systems within the Union and other countries and that the Regulation should not prevent the members of the ESCB from accessing information relevant for the performance of their 40 . duties, including the oversight of CSDs and other financial market infrastructures The Cyprus Central Securities Depository and Central Registry ( 3.5.3 CDCR) is operated by the Cyprus 41 , is supervised by the Cyprus Securities and Exchange Commission Stock Exchange (CSE ) , the (Cy SEC) , and overseen by the CBC. While the CDCR may fall within the scope of the draft law ECB understands that the draft l aw should be without prejudice to the supervision and oversight of given that such supervision and oversight is performed on the basis of Union leg the islation. CDCR also clarify that the DSA ’s responsibilities are without prejudice to and are The draft law could of the Cy SEC . and aligned with the tasks of the CBC Eurosystem cyber resilience strategy for F inancial Market Infrastructures (FMIs) 3.6 The Cypriot authorities may also wish to take note of the Eurosystem cyber resilience strategy for 3.6.1 FMIs, which is intended to support the implementation of the CPMI -IOSCO guidance from an oversight perspective. The objective of this strategy is to (i) improve the cyber resilience of the euro area financial sector as a whole by enhancing the ‘cyber readiness’ of individual FMIs that are overseen by the Eurosystem central banks; and (ii) foster collaboration among FMIs, their critical service providers and the relevant authorities. As part of the strategy, the Eurosystem has developed a range of tools that can be used by FMIs to enhance their cyber resilience, such as a 42 and other tools, such as cyber surveys and focused European red team testing framework assessments to assess the level of cyber maturity of Eurosystem payment systems and to develop 39 il of 23 July 2014 on improving securities Regulation (EU) No 909/2014 of the European Parliament and of the Counc settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012 (OJ L 257, 28.8.2014, p. 1). 40 See paragraph 7.2 of Opinion CON/2018/47 and paragraph 7.3 of Opinion CON/2017/10. 41 The Cyprus CSD is established in accordance with the provisions of the Law 27(I)/1996 on securities and the Cyprus Stock Exchange (Central Securities Depository and Central Registry) (Ο περί Αξιών και Χρηματιστηρίoυ Αξιών Κύπρoυ (Κεντρικό Απoθετήριo και Κεντρικό Μητρώo Αξιών) Νόμoς τoυ 1996 (Ν. 27(I)/1996)). 42 See the Eurosystem’s Framework for Threat Intelligence- based E thical Red Teaming (TIBER -EU) (May 2018), available on the ECB’s website. 8

9 ECB -PUBLIC 43 cyber resilience oversight expectations which will provide more detailed guidance to payment system operators. 4. draft law on credit institutio ns Impact of the Recital 13 of 4.1 (EU) 2016/1148 states that requirements in respect of information systems, Directive which often exceed the requirements provided for under Directive (EU) 2016/1148, are set out in a number of Union legal acts, including the rules on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms. Member States should consider those requirements in their application of provisions transposing Directive (EU) 2016/1148 as lex specialis . Indeed, the Union l egal acts harmonising the area of supervision of credit institutions 44 and include Regulation (EU) No 575/2013 uropean Parliament and of the Council of the E 45 ishing the , jointly establ Directive 2013/36/EU of the European Parliament and of the Council . Credit institutions established in Cyprus must also adhere to the Directive CRR/CRDIV framework 46 , enacted by the CBC , which sets, inter alia, a arrangements on governance and management framework of principles for a sound and effective operation of information technology systems in the context of managing operational risk. 4.2 The ECB and the CBC are the competent authorities exercising specified supervisory powers 47 which under the CRR/CRDIV framework, by virtue of Council Regulation (EU) No 1024/2013 confers specif ic tasks on the ECB concerning the prudential supervision of credit institutions within the euro area and makes the ECB responsible for the effective and consistent functioning of the ponsibilities are Single Supervisory Mechanism (SSM) within which specific supervisory res distributed between the ECB and the participating NCAs, including the CBC. In particular, the ECB carries out the task to authorise and to withdraw the authorisations of all credit institutions. For significant credit institutions the ECB also has the task, among others, to ensure compliance with the relevant Union law that imposes prudential requirements on credit institutions, including the requirement to have in place robust governance arrangements, such as sound risk management 48 . To this end, the ECB is given all supervisory powers es and internal control mechanisms process to intervene in the activity of credit institutions that are necessary for the exercise of its functions. prudential supervision of credit institutions, as exerc ised by the ECB and the CBC within the The 4.3 SSM, covers several aspects related to cybersecurity as part of the prudential supervision of means the risk of loss resulting from inadequate or failed internal processes, operational risk, which 43 See the Cyber resilience oversight expectations for financial market infrastructures (CROE) (December 2018), available on the ECB’s website. 44 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). 45 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). 46 H περί Ρυθμίσεων Διακυβέρνησης και Διαχείρισης Οδηγία του 2014. 47 Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit instituti ons (OJ L 287, 29.10.2013, p. 63). 48 See Articles 4(1)(e) and 6(4) of Regulation (EU) No 1024/2013. 9

10 ECB -PUBLIC 49 people and systems or from external events EBA has produced guidelines on the . In addition, as noted in paragraph 3.4.1, draft guidelines internal governance, covering aspects of IT risks, and, 50 e require ments which are intended to harmonis for credit and security risk management on ICT , investment firms and payment service providers institutions as regards ICT security, incident reporting, project management and business continuity . Further EBA Guidelines are under concern development, inclusion of cyber risk aspects in the Supervisory Review and Evaluation ing 51 . The ECB has developed comprehensive IT risk questionnaires for supervised credit Process institutions -security issues that are fed into their SREP outcomes and also uses insights on cyber 52 . that site inspections and reports of cyber incidents may be c reviews, on- drawn from themati may form the basis for ad hoc institution -specific recommendations and general Such insights sector -wide comparisons and policies . At the same time, prudential supervisors need to exercise car eful judgment when deciding to publish information concerning individual cybersecurity incidents so as to not undermine public confidence in the affected credit institutions . 4.4 Moreover, the ECB and the NCAs within the SSM are responsible for the assessment of recovery plans and taking early intervention measures under Directive 2014/59/EU of the European 53 (as transposed into national law). Further, the primary Parliament and of the Council responsibility for determining that a significant credit institution is failing or likely to fail as a 54 . In the case of resolution, one of condition to the resolution of a credit institution lies with the ECB 55 , which can include the the resolution objectives is to ensure the continuity of critical functions continuing funct ioning of the credit institution’s payment and cash circulation systems. Central banks are excluded from the scope of Directive 2013/36/EU and are thus not supervised 4.5 institutions falling within the scope of Regulation (EU) No 575/2013. Therefore, neither the ECB nor the CBC fall s within the scope of the ‘banking sector’ for the purposes of point (3) of Annex II to 56 . Directive (EU) 2016/1148 4.6 It is understood that, during the exercise of its monitoring task, the DSA m ight request the assistance of both signi ficant and less significant credit institutions established or operating in Cyprus, and of the CBC and the ECB as competent authorities exercising specific supervisory 57 at credit . It is also understood th powers in relation to such credit institutions within the SSM institutions established in Cyprus can be designated as operators of essential services, and thus 49 See Article 4(1)(52) of Regulation (EU) No 575/2013. 50 See the EBA Guidelines on internal governance under Directive 2013/36/EU of 26 September 2017 (EBA/GL/2017/11) and the EBA draft Guidelines on ICT and security risk management of 13 December 2018 (EBA/CP/2018/15), available on the EBA’s website. 51 See the EBA draft Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) of 6 October 2016 (EBA/CP/2016/14), available on the EBA’s website. 52 See also the Newsletter article of 13 February 2019 on ‘IT and cyber risk - the SSM perspective’, available on the ECB’s website. 53 See Articles 27 to 30 of Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/ EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (OJ L 173, 12.6.2014, p. 190). 54 See Article 32(1)(a) of Directive 2014/59/EU. 55 See Article 31(2)(a) of Directive 2014/59/EU. 56 See paragraph 2.4 of Opinion CON/2017/10. 57 See Article 17(hh) οf the draft legislative provisions. 10

11 ECB -PUBLIC inally, it is understood that would need to comply with their obligations under the draft law. F 58 , m ight include informing the general public about cyber incidents, as anticipated in the draft law incidents originating from credit institutions. In light of the above, the ECB recommends clarifying that the scope of the draft law and any 4.7 are without prejudice to the c powers granted to the DSA thereunder ompetences, tasks and 59 . powers of the ECB and the CBC under Regulation (EU) No 1024/2013 and relevant national law In addition, to enable the ECB and the CBC to fulfil their tasks within the SSM, the ECB , for the purposes of the draft law , cooperation and information- sharing recommends that arrangements are established not only between the DSA and the CBC, but also between the DSA 60 . Examples of areas which such and the ECB, through the CBC as referred to in paragraph 2. 3 are include, but cooperation and information- sharing arrangements may helpfully address not limited to, deciding on , the process for reporting requirements imposed on credit institutions publication of information concerning individual cybersecurity incidents, and the safeguarding of the continuity of critical functions of credit institutions. This opinion will be published on the ECB’s website. Done at Frankfurt am Main, 2 May 2019. [signed] The President of the ECB Mario DRAGHI 58 See Article 35 of the draft law. 59 See also paragraph 4 of Opinion CON/2018/22; paragraph 3.5 of Opinion CON/2018/39; and paragraph 8.7 of Opinion CON/2018/47. 60 on CON/2018/22 and paragraph 8.7 of Opinion CON/2018/47. See also paragraph 4.6 of Opini 11

Related documents