The ECB announced in June that, building on a successful pilot run last year, it would require banks under its supervision to report all major cyber incidents from this summer. At the time, however, the ECB did not give much detail about the nature of the requirements it would impose or when precisely they would take effect.
Now the ECB has confirmed to Out-Law.com that the new incident reporting requirements took effect on 10 July and that they are "tailored to each individual institution". Under the requirements, the firms must report "significant cyber incidents" to the ECB. The ECB has not confirmed what incidents would be classed as 'significant'.
"The reporting framework was implemented as a pilot in February 2016," the ECB said in a statement. "18 banks were selected, of which 15 reported directly to the ECB and three reported indirectly through their respective national competent authorities. It was rolled out to all significant institutions (SIs) on 10 July 2017."
"Key characteristics of the process are real-time reporting (as the incident is occurring), a coordinated approach for major incidents and a horizontal follow-up on all incidents over time," it said.
The ECB confirmed that the mandatory cyber incident reporting requirements do not stem directly from a specific EU directive or regulation. Instead, it said the requirements were developed by its Governing Council using powers set out in two EU regulations. The regulations concern how the ECB supervises credit institutions, and how it cooperates with other financial regulators across the EU, respectively.
"The Governing Council’s decisions to impose the reporting requirements are binding, meaning that SIs who do not respect the decision could be subject to sanctions," the ECB said.
Last year, EU law makers finalised a new Network and Information Security (NIS) Directive which sets out cybersecurity obligations, including cyber incident reporting duties, for operators of 'essential services' and digital service providers.
While the Directive leaves it up to each EU member state to specify which organisations in their jurisdiction should be classed as operators of essential services, with reference to criteria set out in the legislation, it specifically states that credit institutions could be classed as operators of essential services and made subject to the NIS regime.
However, the Directive allows law makers in individual member states to exempt businesses who might otherwise be classed as operators of essential services from the NIS regime if there are already "Union legal acts" that set out sector-specific requirements regarding the security of firms' network and information systems or the notification of cybersecurity incidents, and those the requirements "are at least equivalent in effect" to the obligations set out in the NIS Directive.
Earlier this summer, the UK government said that it would take advantage of the carve out in the NIS Directive to exempt firms operating in banking and financial markets infrastructure from proposed new UK legislation which would implement the NIS Directive. In August, the government then confirmed to Out-Law.com that it planed to update UK legislation to codify reporting requirements for central counterparties (CCPs) as part of a move to ensure equivalence of regulation with the NIS Directive.
In response to questions put to it by Out-Law.com, the ECB confirmed that it has been liaising with ENISA, the EU Agency for Network and Information Security, about aligning its new cyber incident reporting regime with the one under the NIS Directive.
Under the Directive, ENISA is obliged to work with member states to "draw up advice and guidelines" relating to technical security standards. A non-binding recital in the legislation also states that ENISA should "be involved in the development of guidelines for sector-specific criteria for determining the significance of the impact of an incident".
The ECB said: "We understand that the NIS Directive is still in a very early stage of implementation. For instance, the guidelines for its application are still in the process of being written, so many aspects remain unclear as yet. The ECB is in contact with ENISA, which is the overall responsible institution for the implementation of the NIS Directive. As the details on the application of the NIS directive become clearer, the ECB will work to align its approach with its requirements as much as possible."
The ECB said that it has not published the cyber incident reporting requirements it has issued to banks because the documents are confidential.
"As they fall into the remit of our supervisory activities and concern our relationship with the banks, we cannot put them in the public domain," it said.