Final and translated into the EU official languages
These Guidelines are in support of the objectives of the PSD2 of strengthening the integrated payments market across the European Union, ensuring a consistent application of the legislative framework, promoting equal conditions for competition, providing a secure framework on the payments environment and protecting consumers.
The European Banking Authority (EBA) launched today a public consultation to propose revising the Guidelines on major incident reporting under the Payment Service Directive (PSD2). The proposal aims at optimising and simplifying the reporting process, capturing additional relevant security incidents, reducing the number of operational incidents that will be reported, and improving the meaningfulness of the incident reports received. The revision of the Guidelines also intends to decrease the reporting burden on payment service providers (PSPs). The consultation runs until 14 December 2020.
The existing Guidelines on major incident reporting set out, inter alia, the criteria, thresholds and methodology to be used by PSPs to determine whether or not an operational or security incident should be considered major and how said incident should be notified to the CA in the home Member State.
The consultation paper proposes the introduction of the new incident classification criterion ‘breach of security measures’ to capture security incidents where the breach of the security measures of the PSP has an impact on the availability, integrity, confidentiality and/or authenticity of the payment services related data, processes and/or systems. The consultation paper also introduces changes to the thresholds for the calculation of the criteria ‘transactions affected’ and ‘payment service users affected’.
In addition, to improve the quality of the reports collected, the EBA suggests the use of a standardised file for reporting major incident reports, streamlining the reporting template, and adding further granularity to the reported causes of incidents and aligning those to other incident reporting frameworks in the EU.
Finally, and crucially, as part of the changes introduced to reduce the reporting burden to PSPs, the EBA proposes to remove the regular updates on the intermediate report and to extend the deadline for submission of the final report.
Article 96(3) of Directive (EU) 2015/2366 on Payment Services in the Internal Market (PSD2) confers on the European Banking Authority (EBA) the mandate to develop, in close cooperation with the European Central Bank (ECB), Guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.
Article 96(4) of PSD2, in turn, requires the EBA, in close cooperation with the ECB, to review the Guidelines on a regular basis and in any event at least every 2 years.
Comments to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 14 December 2020. All contributions received will be published following the end of the consultation, unless requested otherwise.
The European Banking Authority (EBA) launched today a public consultation to propose revising the Guidelines on major incident reporting under the Payment Service Directive (PSD2). The proposal aims at optimising and simplifying the reporting process, capturing additional relevant security incidents, reducing the number of operational incidents that will be reported, and improving the meaningfulness of the incident reports received. The revision of the Guidelines also intends to decrease the reporting burden on payment service providers (PSPs). The consultation runs until 14 December 2020.
The existing Guidelines on major incident reporting set out, inter alia, the criteria, thresholds and methodology to be used by PSPs to determine whether or not an operational or security incident should be considered major and how said incident should be notified to the CA in the home Member State.
The consultation paper proposes the introduction of the new incident classification criterion ‘breach of security measures’ to capture security incidents where the breach of the security measures of the PSP has an impact on the availability, integrity, confidentiality and/or authenticity of the payment services related data, processes and/or systems. The consultation paper also introduces changes to the thresholds for the calculation of the criteria ‘transactions affected’ and ‘payment service users affected’.
In addition, to improve the quality of the reports collected, the EBA suggests the use of a standardised file for reporting major incident reports, streamlining the reporting template, and adding further granularity to the reported causes of incidents and aligning those to other incident reporting frameworks in the EU.
Finally, and crucially, as part of the changes introduced to reduce the reporting burden to PSPs, the EBA proposes to remove the regular updates on the intermediate report and to extend the deadline for submission of the final report.
Article 96(3) of Directive (EU) 2015/2366 on Payment Services in the Internal Market (PSD2) confers on the European Banking Authority (EBA) the mandate to develop, in close cooperation with the European Central Bank (ECB), Guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.
Article 96(4) of PSD2, in turn, requires the EBA, in close cooperation with the ECB, to review the Guidelines on a regular basis and in any event at least every 2 years.
Comments to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 14 December 2020. All contributions received will be published following the end of the consultation, unless requested otherwise.
The European Banking Authority (EBA) launched today a consultation on its draft Guidelines developed in close cooperation with the European Central Bank (ECB) under the revised Payment Services Directive (PSD2). The draft Guidelines specify (i) the criteria for classifying operational or security incidents as major, (ii) the template to be used by payment service providers when notifying them to the Competent Authorities (CAs,) and (iii) the indicators CAs need to use when assessing the relevance of such incidents. These Guidelines are in support of the objectives of the PSD2 of strengthening the integrated payments market across the European Union (EU), ensuring a consistent application of the legislative framework, promoting equal conditions for competition, providing a secure framework on the payments environment and protecting consumers. The consultation runs until 7 March 2017.