Position Paper on the Directive on Security of Network and Information Systems (NIS) and the Digital Operational Resilience Act (DORA)

KEY TAKEWAYS

  • Payments Europe recognises the importance of secure payment systems to promote smooth operation and functioning of the economy within the EU and believes increased security can help preserve and strengthen the role of the Euro.
  • The existing Eurosystem is competent for overseeing operational and cybersecurity arrangements, incident notifications, risk management and governance requirements of payments and settlements systems, in line with globally agreed PFMI principles.
  • For this reason, we ask the legislators to continue considering payment and settlement systems outside of the scope of both the NIS Directive and DORA.
  • We also request an explicit reference to be made in these pieces of legislation asking Member States not to replicate European oversight obligations at the national level.

POSITION PAPER

Payments Europe welcomes the European Commission’s objective to further strengthen and streamline the existing framework governing operational and cyber resilience across the financial sector.

At Payments Europe, we share the belief that cybersecurity needs to be enhanced for the benefit of consumers and businesses alike. We also recognise the importance of secure payment systems to promote smooth operation and functioning of the economy within the EU and believe increased security can help preserve and strengthen the role of the Euro.

The existing Eurosystem for the oversight of payments and settlements systems is comprised of the European Central Bank and the national central banks of the Member States whose currency is the euro. It is competent for overseeing operational and cybersecurity arrangements, incident notifications, ris management and governance requirements in line with globally agreed PFMI principles. The Eurosystem is robust, effective and forms the basis for payments and settlements systems being considered outside the scope of the NIS Directive and the Digital Operational Resilience Act (DORA).

The choice to carve payment and settlement systems out of the applicability of the NIS Directive (1) is based on an ECB opinion. It states that the responsibility for developing oversight requirements in these areas should remain with the authorities already competent for it to avoid potentially conflicting requirements imposed by other authorities. In fact, the exclusion indicates that rules governing payment systems are already sufficient and need to remain harmonised across the EU. This guarantees that cross-border risks such as those related to cybersecurity can properly be tackled at supra-national level.

Nonetheless, the current NIS framework leaves room for Member States’ discretion when it comes to the setting of security requirements and rules governing incident notification. This approach has, in practice, led to significant differences in the application of the Directive to payment and settlement systems across the EU.

Cybersecurity legislation should focus on improving the baseline of cybersecurity resilience across Member States without leaving room for Member States to develop detailed regulatory schemes. Prescriptive and detailed requirements at national level can make it difficult for companies to comply, while not necessarily ensuring a higher level of cybersecurity.

For this reason, we ask the European Commission to continue considering payment and settlement systems outside of the scope of both the NIS Directive and the upcoming DORA. We also request an explicit reference be made in these pieces of legislation asking Member States not to replicate European oversight obligations at the national level.

Footnotes:

  1. Recital 14, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC#ntr6-L_2016194EN.01000101-E0006

SHARE: