Guidelines on major incidents reporting under PSD2

Status: Final (awaiting translation into the EU official languages)

These Guidelines are in support of the objectives of the PSD2 of strengthening the integrated payments market across the European Union, ensuring a consistent application of the legislative framework, promoting equal conditions for competition, providing a secure framework on the payments environment and protecting consumers.

EBA publishes Final Guidelines on major incident reporting under PSD2

EBA publishes Final Guidelines on major incident reporting under PSD2

27 July 2017

The European Banking Authority (EBA) published today the Final Guidelines on major incident reporting under the revised Payment Services Directive (PSD2). The Guidelines were developed in close cooperation with the European Central Bank (ECB), are addressed to all payment services providers and competent authorities in the 28 EU Member States, and contribute to the objective of the PSD2 of minimizing disruption to users, payment service providers and payment systems. 
 
The Guidelines set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State. In developing the Guidelines, the EBA and ECB have built on the experience across national jurisdictions and authorities and assessed existing similar practices for incident reporting.

More specifically, these Guidelines provide the template that payment service providers are required to use for this notification and the reports they have to send during the lifecycle of the incident, including the time frame to do so. The Guidelines also establish a set of criteria that competent authorities have to use as primary indicators when assessing the relevance of a major operational or security incident to other domestic authorities in the context of the PSD2. Moreover, they detail the minimum information that competent authorities should share with these domestic authorities when an incident is considered of relevance for the latter.
 
Following the analysis of the 43 responses received during the public consultation, the EBA has made some amendments to the Guidelines. In particular, it has further defined the criteria, reviewed one of the thresholds, extended the deadline for the first report, streamlined the amount of information to be provided at that stage, and generally clarified the information to be provided in each of the reports.
 
The Guidelines will apply from 13 January 2018.
 

Legal basis

Article 96(3) of Directive (EU) 2015/2366 on Payment Services in the Internal Market (PSD2) confers on the European Banking Authority (EBA) the mandate to develop, in close cooperation with the European Central Bank (ECB), Guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities.
 

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +44 (0) 207 382 1772