16
potential threat to the financial sector’s stability, the European Parliament has called on the
Commission ‘to make cybersecurity the number one priority in the FinTech action plan’
.
Repeated cyber incidents triggered by the exploitation of basic security flaws in systems and
organisations underscore the critical importance of practising fundamental cyber hygiene
within any organisation. Stricter cyber hygiene measures and requirements is crucial to ensure
integrity. However, the degree to which firms are subject to and strengthen their cyber
hygiene standards varies across the EU, depending largely on industry and national practices.
At EU level, current financial services legislation, in particular covering financial market
infrastructures and payments, already contains specific requirements on the integrity of IT
resources and systems and their governance. In other areas, requirements are more general,
for example in the case of business continuity or general operational risk requirements.
The transposition by Member States of the directive on security of network and information
systems
(NIS) provisions on security requirements in other financial services is on-going.
Gaps may, however, remain in EU financial sector legislation that should be filled to improve
the sector’s resilience. Before taking such action, supervisory requirements and practices
should be studied carefully. This way, best practices in applying general requirements can be
identified.
Access to threat intelligence and information sharing are also fundamental to improving
cybersecurity. Closer cooperation and coordination of threat intelligence sharing across the
EU financial sector will help to prevent and mitigate cyber threats. Some respondents to the
FinTech consultation expressed concern that information sharing on cyber threats could be
constrained by legislation. It might for example not be compatible with the General Data
Protection Regulation. This Regulation, however, recognises that the processing of personal
data necessary and proportionate for the purpose of ensuring network and information
security constitutes a legitimate interest.
Supervisors are increasingly conducting penetration and resilience testing to assess the
effectiveness of cyber defences and security requirements. Rigorous testing is already an
industry best practice, and increasingly tests and testing modalities are mandated by
authorities. As financial institutions and financial market infrastructures operate on a cross-
border basis, the multiplication of testing frameworks is perceived as increasing the costs
unnecessarily and increasing potentially the risks. Stakeholders stressed the need for more
regulatory and supervisory coordination at European level. They stated this should be
combined with stronger cooperation between jurisdictions and mutual reliance between
authorities on test results whose sensitive nature had to be protected. In this context, the
Commission considers the efforts that the ECB, the ESAs and national supervisors are making
for example to develop an EU-wide Threat Intelligence Based Ethical Red Teaming (TIBER-
EU) testing framework as promising. Assessing cyber resilience of significant financial
‘Report on FinTech: the influence of technology on the future of the financial sector’, Committee on
Economic and Monetary Affairs, Rapporteur: Cora van Nieuwenhuizen, 2016/2243(INI), 28 April 2017.
ENISA, Review of the Cyber Hygiene practices, December 2016, p.14, available here.
Cyber hygiene is a fundamental principle relating to information security […],is the equivalent of establishing
simple routine measures to minimise the risks from cyber threats. The underlying assumption is that good
cyber hygiene practices can drive increased immunity across businesses reducing the risk that one
vulnerable organisation will be used to either mount attacks or compromise a supply chain.
Directive (EU) 2016/1148.
Financial Stability Board, Stocktake of publicly released cybersecurity regulations, guidance and supervisory
practices, October 2017, pp. 65-70, available here (tbc).