Communication of 29 October 2021: Implementation for Payment Service Providers of the Updated EBA Guidelines on Major Incident Reporting under PSD2 (EBA/GL/2021/03)

Communication of 29 October 2021. Implementation for Payment Service Providers of the Updated EBA Guidelines on Major Incident Reporting under PSD2 (EBA/GL/2021/03).

1. Preamble

Article 96(3) of PSD2 (1) mandates the EBA, in collaboration with the European Central Bank, to prepare Guidelines concerning the reporting of major operational and security incidents affecting payment services. On 10 June 2021, the EBA issued the Updated Guidelines on Major Incident Reporting under PSD2 (2), which repeal and replace the previous 2017 Guidelines (3) and apply from 1 January 2022.

Through this communication, the Bank of Italy implements the EBA's Updated Guidelines on Major Incident Reporting under PSD2 (4) with reference to payment service providers.

The Guidelines apply to banks, branches of non-EU banks, payment institutions, electronic money institutions, and Bancoposta.

In continuity with the previous regulatory framework, payment service providers report directly to the Bank of Italy (5) according to operational instructions defined by the Bank (6). Furthermore, for banks, the Guidelines continue to be integrated into the general framework of regulations regarding the detection and notification to the Bank of Italy of cybersecurity incidents for all activities conducted by the bank.

2. Content

The Guidelines establish criteria for classifying major operational or security incidents, as well as the content, format, and procedures for communicating these incidents to national authorities. Compared to the previous version, the updated Guidelines refine the framework to strengthen and, simultaneously, simplify the major incident reporting regime in light of accumulated experience.

In particular, the Guidelines introduce a new indicator criterion related to the breach of network or information system security, with the objective of more adequately capturing incidents resulting from malicious actions that compromise the availability, authenticity, integrity, or confidentiality of the network or information systems (including data) related to the provision of payment services.

The following simplifications are also introduced regarding the obligations of intermediaries:

• The extension of timeframes for sending the initial report (which must be transmitted no longer than 4 hours from the moment the incident is detected, but from when it is classified as major) and the final report (to be transmitted 20 working days after the closure of the incident, instead of after 2 weeks). Significant banks continue to notify the initial report within 2 hours from the moment of incident classification

1 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market. 2 EBA Revised Guidelines on major incident reporting under PSD2 (EBA/GL/2021/03). The text is available on the EBA website at the following link: https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-on-majorincidents-reporting-under-psd2. 3 EBA Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10), issued by the EBA on 27 July 2017. 4 See Circular 285, Part I, Title IV, Chapter 4, Section IV, para. 6, and Section VII; Supervisory provisions for payment institutions and electronic money institutions, Chapter VI. 5 It is therefore not possible to delegate the sending of the communication to a third party. 6 See "Instructions for the reporting of major cybersecurity incidents", currently under update, available at the address: https://www.bancaditalia.it/statistiche/raccolta-dati/segnalazioni/rilevazioni-vigilanza/index.html.

2 of the incident to ensure alignment with what is already required by the European Central Bank with reference to cyber incidents;

• The limitation of the obligation to send periodic interim reports only in cases where the duration of the major incident extends beyond three working days;
• The raising of operational thresholds, related to the volume of affected transactions, beyond which the incident must be classified as major;
• The alignment of the adopted taxonomy with those of other incident reporting systems developed in the EU (in particular, the European Union Agency for Cybersecurity – ENISA; European Central Bank).

---

The Guidelines have already been subject to public consultation and regulatory impact analysis at the European level (7). Given the limited nature of the changes and considering the choices made by the Bank of Italy regarding the obligation for payment service providers to report directly, as well as for banks to integrate the Guidelines into the framework of cybersecurity incidents for all activities conducted, which are in line with continuity with the previous regime, no new public consultation nor regulatory impact analysis was conducted, in line with what is provided for in the Bank of Italy Regulation on normative acts (8).

This communication has the nature of a normative act of a general binding character for the recipients and enters into force on the day of publication on the Bank of Italy website. The provisions contained in the Guidelines apply from 1 January 2022.

7 The updated Guidelines were subject to public consultation by the EBA from October to December 2020. For the regulatory impact analysis, see EBA, Final Report on Revised Guidelines on major-incident reporting under PSD2, available on the EBA website at the following link: https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/Guidelines%20on%20maj or%20incident%20reporting%20under%20PSD2%20EBA-GL-202103/1014562/Final%20revised%20Guidelines%20on%20major%20incident%20reporting%20under%20PSD2.pdf 8 Bank of Italy Measure of 9 July 2019 "Regulation governing the discipline of the adoption of acts of a normative or general content by the Bank of Italy in the exercise of supervisory functions, pursuant to Article 23 of Law 28 December 2005, no. 262", art. 8, para. 2, lit. a).