EBF position on Cyber incident reporting

16 October 2019

This document aims to address the fragmentation of the EU cyber incident reporting framework, resulting from the existence of several different incident reporting requirements across Europe, and to make proposals for regulators and policymakers for fostering information sharing and cooperation between Financial Institutions and Supervisory Authorities.

Depending on the type of incident, the reporting entity and the different legislations that apply, the current regulatory framework for incident reporting is characterised by:

These elements create additional regulatory and operational burdens that financial institutions have to abide by during or immediately after having suffered a cyber incident. They also prevent the creation of more centralised and uniform mechanisms that can speed up the reporting process and enable a smoother exchange of information and good practices. Due to the complex rules and reporting channels, existing different requirements result in coordination and compliance challenges.

In order to ensure that financial institutions are able to quickly and effectively report cyber incidents without at the same time sacrificing a proper incident management and recovery process, and very much in line with the ESAs Joint Advice on legislative improvements, the European Banking Federation (EBF) makes the following proposals for supervisors and regulators:

Full position on EBF