Cybersecurity in the EU The Example of the Financial Sector: A Legal Perspective

Abstract

Cybersecurity in the financial sector is a dynamic and evolving policy field with unique challenges and specific characteristics. While it has recently received a lot of attention from disciplines like Economics and Politics, legal literature on this topic, especially with regard to EU law, still lags behind. This is surprising, given that cybersecurity in the EU is characterized by complex governance structures, a variety of legal sources, and a wide range of different rule makers and involved actors, and given that only a clear legal framework with efficient institutions at both EU and Member State level can provide for a safe digital environment. The purpose of this Article, therefore, is twofold: On the one hand, it aims to introduce the legal aspects of cybersecurity in the financial sector while taking stock of existing cybersecurity schemes, including their strengths and weaknesses from a legal perspective. On the other hand, it will set out key elements that cybersecurity regulation in the financial sector must respect in order to be effective and come up with reform proposals to make the EU financial sector more cybersecure.

A. Introduction

The spokesperson of an influential hackers club once compared the world‘s digital infrastructure to a poorly maintained system of water pipes in a developing country megalopolis. Leaks can be found in every nook and corner; technicians try to plug the holes 24/7; but all they have is duct tape.¹

Alongside space, air, land, and sea, cyber is the fifth dimension. It opens a global virtual world, radically changing societies and shaking classical borders. But a digital world also comes with new types of micro threats on businesses and citizens, and macro threats on public policies and state security, which are asymmetrical, unpredictable, and unaffected by classical state responses. They occur at the level of tricksters and range up to state espionage and, potentially, offensive cyber-attacks against states. Cyber is as such a new global world, where there is no dividing line between external and internal security. There is an attacker in one country, aiming for a target in another, causing damage in yet a third. There are as well large-scale attacks targeting and affecting several Member States at once—with the actual attack being carried out in cyberspace, which does not even adhere to one spot, country, or continent, but is a dimension for itself. This raises the question of the adequacy, or inadequacy, of the classical regulatory tools to reply to these challenges.²

In this new environment, the EU and its Member States need to anticipate and plan for hitherto unimaginable scenarios in which they would be put if under a severe cyber-attack. This is particularly true for the implementation of the European Commission‘s EU Digital Single Market agenda.³ With the financial industry at its very center, a digital single market for the free movement of persons, services, and capital is highly dependent on a reliable and robust IT infrastructure. Comparable to the field of “industry 4.0,” innovation in the financial sector—for example, the idea of a “Digital City,” a financial platform of Europe that coordinates a network of financial centers in the EU⁴—and the success of new business models depend on trust in a safe digital environment.

Cybersecurity is a term that covers a wide range of activities. Broadly speaking, it can be divided into three different categories: Network and information security, fight against cybercrime, and cyber defense. With regard to network and information security, cybersecurity can be defined as the ability of network and information systems to resist action that compromises the availability, authenticity, integrity, or confidentiality of digital data or the services those systems provide.⁵ This Article will focus on cybersecurity in the financial sector in its dimension of network and information security. Still, it will also refer to the other two areas of cybersecurity where necessary and appropriate. The financial sector is understood as the entirety of payment systems, credit institutions, payment institutions, stock exchanges, trade repositories, central securities depositories, central counterparty clearing houses, securities settlement platforms, credit rating agencies, insurance companies, and asset management companies.

The disruptive effects of a successful cyber-attack against the financial sector can be devastating, resulting in financial shocks. In November 2018, Benoît Cœuré, member of the Executive Board of the European Central Bank (ECB), pointed out, “the next financial crisis may well start as a cyber-incident.”⁶ In March 2017, the G20 Finance Ministers and Central Bank Governors noted, “the malicious use of information and communication technologies could disrupt financial services crucial to both national and international financial systems, undermine security and confidence, and endanger financial stability.”⁷ A breakdown of wholesale payment systems can endanger the provision of liquidity by central banks and jeopardize the implementation of monetary policy.⁸ At the micro-level, a successful cyber-attack may result in the theft or loss of funds and intellectual property, the manipulation or loss of sensitive corporate or customer information, and the interruption of services provided by a financial institution. A successful cyber-attack can also cause indirect costs such as negative effects on customer relationships, diminished reputation, and, potentially, regulatory sanctions and civil liability.⁹

It, therefore, comes as no surprise that cybersecurity has attracted a lot of attention from national, European, and international policy makers in recent years, especially with regard to the financial sector. Subsequently, a complex picture of different actors, bodies, and regulatory schemes has emerged. Likewise, the private sector reinforced its efforts to build up stronger cybersecurity capabilities.

This Article proceeds in five parts. It aims to provide a comprehensive analysis of the current EU regulatory environment for cybersecurity in the financial sector, and to identify its strengths and weaknesses from a legal perspective—a topic that has not yet received a lot of attention in legal literature. Following a brief overview of the current cyber threat landscape in Section B, the Article develops a framework of key elements that cybersecurity regulation in the financial sector must respect in order to be effective and clarifies the role of the private sector and public authorities in protecting the financial sector against cyber-attacks in Section C. Subsequently, the Article provides a stock take of the current legal framework for cybersecurity in the financial sector. While Section D focuses on the overall legal framework for cybersecurity in the financial sector, Section E examines the legal situation at the EU level in more detail. In this regard, EU cybersecurity schemes for systemically important payment systems and credit institutions are used as reference areas. Finally, the Article explores possible ways forward to make the EU financial sector more cybersecure. In this regard, only a clear legal framework with efficient institutions at both EU and Member State level can provide for a safe digital environment, as considered in Section F.

B. Overview of the Threat Landscape

I. Categories of Cyber Threats

In recent years, cyber-attacks have grown rapidly in scale, scope, and sophistication.¹⁰ They concern the entire ecosystem, whether states, individuals, or businesses, and question a number of important dichotomies, including internal/external, public/private, and civilian/military.¹¹ Cyber-attacks are part of “hybrid-threats,” a “mixture of conventional and unconventional, military and non-military, overt and covert actions that can be used in a coordinated manner by state or non-state actors to achieve specific objectives.”¹² They can be attributed to four different and, to some extent, overlapping threat-categories.

1. Cyber War

Cyber war, or hybrid forms of it, is usually a state-sponsored form of action against another state carried out via electronic networks. It includes warfare against another state‘s military, public, and private sectors, as well as the civilian population. Until now below the threshold of formally declared warfare, cyber aggressions are likely to be used with greater intensity and accuracy in the future, opening the door for “think the unthinkable” types of scenarios in the years to come. Due to the anonymity of the internet, the attribution of cyber-attacks is complicated, and perpetrators often remain unidentified. Typical tools of cyber war include botnets and worms such as Stuxnet, a computer worm first discovered in July 2010, and deemed a joint Israeli/US effort to disrupt Iran‘s nuclear program.¹³ A less intrusive, but just as dangerously efficient, way of harming other states and players is electronic disinformation and propaganda. Yet, what is new is the increasingly systematic use of cyberspace by states to pursue national foreign and security policy objectives. Cyber-attacks are getting more sophisticated and more aggressive, targeting critical infrastructures to potentially disrupt states.

2. Cyber Espionage

Cyber espionage concerns breaches in the databases of public authorities and state or non-state enterprises by foreign governments to gather information such as trade secrets and strategically important corporate knowledge. In December 2018, the US and the UK accused hackers linked to the Chinese Ministry of State Security of obtaining unauthorized access to the computers of at least forty-five entities, including commercial and defense technology companies and US government agencies such as NASA and the US Navy.¹⁴

3. Cyber Terrorism and Cyber Vandalism

Cyberterrorism is the use of cyberspace to commit terrorist acts such as hacking into a system to cause a nuclear plant to melt.¹⁵ Below the threshold of cyber terrorism, cyber vandalism has no specific objective or target. It is carried out “more for the thrill than anything else.”¹⁶

4. Cybercrime

Cybercrime, such as phishing,¹⁷ online fraud, and online forgery, involves offenses against property rights, including intellectual property, launched by non-state actors. It is a threat to everybody. “Cybercrime as a service” is becoming a widely used practice. Facilitated by the dark net, hacking can be ordered and purchased as easily as a taxi. Cybercrime is growing very fast and has dramatic economic costs. As a percentage of global GDP, cybercrime cost the global economy 0.8 percent of GDP in 2016, up from 0.62 percent in 2014.¹⁸ Globally, it will cost businesses over five trillion US dollars per year by 2024.¹⁹ Cyber-attacks can massively affect the business community. The most affected sectors are banking and utilities—with 18.37 and 17.84 million US dollars on average annual cost of cybercrime for each organization in the industry in 2018.²⁰ Cyber-attacks can also ruin the reputation of companies building their business model on private data or, like financial institutions, on confidence and trust.

The financial sector is of particular attractiveness for cyber criminals seeking illicit financial gains.²¹ In 2016, customers of financial services suffered sixty-five percent more cyber-attacks than customers of any other industry.²² In July 2014, JP Morgan Chase was the victim of a hack that comprised the accounts of seventy-six million households and seven million small businesses.²³ In February 2016, eighty-one million dollars were stolen from an account of the central bank of Bangladesh via the SWIFT network.²⁴ In November 2016, around 2.5 million pounds were stolen from around 9000 customers of Tesco Bank.²⁵ In May 2019, hackers stole more than 7,000 bitcoin from crypto exchange Binance, the world‘s largest by volume.²⁶

II. Lack of Preparation

Despite these threats, mindsets are unprepared. Citizens see the internet as a free space; more security comes as a burden to them.²⁷ Many companies do not develop security by design; they create digital innovations and develop and use new digital technologies but rarely think about the security side of these technologies. It is, therefore, no surprise that sixty-one percent of cyber-attacks and sixty-five percent of data-breaches took weeks or more to discover.²⁸

And States? According to the European Union Agency for Cybersecurity (ENISA),²⁹ governments tend to tolerate malicious activity as long as it stays at acceptable levels, meaning less than 2% of national income.³⁰ The discrepancy between the gains of internet—visible, real, for example, access to the world via smartphones—and the losses—virtual, more diffuse, and less tangible—at least so far leads to a form of apathy and indifference. There is growing acceptance that the internet comes with certain risks.³¹

Rapidity and inventiveness of attackers require new forms of acting for public authorities. Internet and cyber threats evolve very quickly. Spams and adware, widely used a few years ago, are mostly under control. But new threats are emerging every day, such as ransomware,³² denial of service (DoS) attacks,³³ or phishing.³⁴ The mass of potential hackers today forms a hydra—closing down one platform or getting hold of one attacker can trigger two new platforms to open, or many more hackers applying the same technique, or others, within hours.

C. Key Elements for Effective Cybersecurity Regulation

In order to counter these threats, effective cybersecurity regulation is of growing importance. As a regulatory object, cybersecurity has specific characteristics and presents unique challenges. Their identification will help establish a set of key elements that cybersecurity regulation must respect in order to be effective.

I. General Observations and Elements

1. Manifold Forms of Cybersecurity

Cybersecurity comes in very different forms. Strengthening cyber resilience across different sectors, therefore, requires a variety of measures that must cover many different content elements. At the level of individual businesses, an effective cybersecurity framework addresses the prevention and detection of, the response to, and the recovery from a cyber-attack. It contains provisions on governance, such as risk assessment and management, regular system testing—for example, via simulated cyber-attacks—internal control mechanisms, and continuity planning, as well as provisions on independent review, incident reporting, and third party risks—altogether, essential elements of an effective cybersecurity framework.

2. Importance of the Human Element

Cybersecurity is not only about technology. Often, businesses and institutions are overly focused on technological security and software, but they neglect company culture, people, and processes. The human element, however, is still the weakest link when it comes to cybersecurity.³⁵ Vulnerabilities are introduced both in terms of what we regularly do, for example, opening e-mails or clicking on links, as well as what we fail to do, for example, updating systems or maintaining backups.³⁶ Effective cybersecurity regulation recognizes the importance of education and places emphasis on management and staff training, continuous learning, and risk-awareness-raising.³⁷

3. Rapidly Changing Risk Landscape

Cyber risk is dynamic and evolves quickly. Technological advances enable cyber criminals to continuously develop and apply new methods to attack and compromise information and communication technology (ICT) systems.³⁸ Defense mechanisms must keep up with these developments. Effective cybersecurity regulation, therefore, obliges organizations to continuously update their cybersecurity arrangements. At the same time, it does not impose too many or too detailed requirements but leaves space for flexible and individual solutions, thereby promoting agility and adaptability.³⁹ In the absence of a one-size-fits-all solution to the challenges ahead, organizations must be able to put in place and maintain technologies, mechanisms, and procedures that are specifically tailored to their individual needs, systems, employees, and risk profiles.⁴⁰ Flexibility also enables institutions to balance proportionality and costs as key drivers of any cybersecurity arrangements to be adopted. Considering the rapidly changing nature of cyber risks, overly specific technical requirements also risk being obsolete faster than they can be repealed and replaced by the regulator. Eventually, a certain degree of regulatory flexibility would facilitate the development of innovative cybersecurity solutions, enabling organizations to always stay one step ahead of cyber-criminals.

4. Importance of Cooperation and Information Sharing

In order to best anticipate and respond in a consistent manner to cyber-attacks, a multidisciplinary approach and information sharing are required.⁴¹ There is a need to shift from building static capabilities to more proactive detection of threats. The challenge will be to detect cyber threats in advance and to isolate them in the system to best understand their functioning and potential impact before reacting. This requires the full collaboration of the different sectors of society, including the private sector, particularly with regard to critical infrastructures.⁴² Cooperation and information sharing within the private sector, between the private and the public sector, and at the public level are of particular importance. At best, such mechanisms are established on a cross-sectoral and cross-border basis to avoid a “siloed approach.” Types of information to be shared include, but are not limited to, cyber-incidents, new cyber threats, vulnerabilities in software, hardware or processes, mitigation methods, best practices, and strategic analysis.⁴³

II. Observations and Elements with Particular Regard to the Financial Sector

1. Interconnections and Interdependencies in the Financial Sector

More than many other industries, the financial sector and its systems are highly interconnected and interdependent.⁴⁴ As a result, a cyber-attack can spread very quickly among financial system participants. What is more, the financial sector is only as cybersecure as its weakest link. The failure of one participant, a “single point of failure,” can easily affect and impede the services provided by other participants. Due to the interconnectedness of the sector, a small-volume participant or a business providing non-critical financial services may be as risky as a major participant or a critical financial services provider.⁴⁵ Effective cybersecurity regulation, therefore, covers all actors of a particular sector, and it is not limited to the largest or most relevant financial institutions or sub-sectors.⁴⁶ It also covers more general services that are relevant to the financial sector, such as electricity provision.

2. Broad Range of Entry Points and Third Party Participants

The financial system is a complex network of participants from different environments and shared technologies. It is not only comprised of financial institutions, but also third-party service providers—for example, cloud-service providers—with whom financial institutions work. With regard to these cloud-service providers, only a limited number of big players dominate the market. This leads to concentration risks.⁴⁷ Moreover, financial institutions increasingly rely on information systems in the provision of financial services and their day-to-day operations.⁴⁸ Services are increasingly instant and globally available. Due to progress made in cloud computing, the Internet of Things, and 5G-technologies, the number of devices, networks, and interfaces used in the daily business of a financial institution has increased significantly. This results in a broad range of entry points for possible cyber-attacks, both at the technological level and at the level of participants.

Against this background, effective cybersecurity regulation needs to cover new technologies as well as third-party cyber risks. In the context of the latter, it must set out the conditions according to which financial institutions may enter into outsourcing agreements with third-party service providers and the requirements concerning the management and monitoring of the according risks. It must also provide for the possibility of supervisory access to a financial institution‘s third-party service providers. This onsite access can be obtained either directly in the applicable law or by requiring the financial institution to include this right in outsourcing contracts. Direct supervision of third-parties must also be considered.

3. Importance of the Precautionary Principle

Due to the rapidly changing nature of cyber risks and the uncertainties about future technical developments and threat scenarios, cybersecurity regulation must put particular emphasis on risk prevention. In this context, the precautionary principle is of particular importance. The European Commission and the European Court of Justice consider the precautionary principle to be a general legal principle of EU law.⁴⁹ In the context of financial stability and cybersecurity, the precautionary principle requires government action already when there is a risk to the stability of the financial system. The mere possibility of damage is enough; a concrete probability is not required. In this situation, and considering the principle of proportionality, governments must adopt procedural instruments, such as notification requirements about cyber-incidents, in order to generate information. Should these instruments be insufficient to mitigate the risk, measures that are more intrusive must be considered.⁵⁰

III. Division of Labor Between the Private and the Public Sector

In complex regulatory fields like cybersecurity in the financial sector, knowledge based on expertise and information is a precondition for every kind of state activity. This applies a fortiori in the present context—public authorities often are not as advanced as the private sector when it comes to cybersecurity.⁵¹

The shortcomings of command and control legislation in complex policy fields such as cybersecurity, as well as the central role of information and knowledge, make the cooperation of public authorities with private actors a necessity (“private-public engagement”).⁵² In the context of the concretization of public goods, such as the stability of the financial system and cyber resilience,⁵³ this is to be understood as the result of a process of the division of labor in which both governmental and private actors contribute in all phases of implementation.⁵⁴ These comprise, for example, contributions to fact investigations, or expertise; the creation of standards by private self-regulatory entities; private self-control of safety standards; and the creation of private organizational structures to achieve government goals, such as private contributions to infrastructure maintenance and safety. Indeed, the private sector, both in the form of critical infrastructure operators and standard setters, currently stands in the frontline of fighting cyber-attacks against the financial sector.

From a public law perspective—based on the state responsibility to deliver on public goods—a central task becomes the regulation of the private contributions in collaborative structures to ensure an overall outcome that promotes the public interest.⁵⁵ In this regard, German administrative law theory defines a differentiated concept of public responsibility based on three levels of public responsibility.

1. Comprehensive State Responsibility

The first level is defined by a comprehensive state responsibility (Erfüllungsverantwortung) that ensures the public good by public administration and state authorities acting based on the classical command and control legislation.

2. Collaborative Approach

The second level is defined by a collaborative approach between the public sector and private actors based on a public responsibility with regard to objectives and results. For this kind of cooperation between the public and the private sector, German administrative law theory coined the terms of “Gewährleistungsverantwortung” and “Gewährleistungsverwaltungsrecht” defining an essential element of regulatory law.⁵⁶ Their function is to safeguard the public good by framing the “procedure” of decision-making that is primarily based on private expertise, collaborative action, and organization. In this context, the dynamic adaptation of legal demands on technical developments and the need for opportunities to review and/or revise decisions made under conditions of uncertainty are key elements of the legal framing that has to ensure that the state finally delivers on the public good.

3. Umbrella Responsibility

The third level of public responsibility is a kind of umbrella, and it entitles state authorities to intervene as soon as the collaborative approach leads to shortcomings in delivering on the public good (Auffangverantwortung).

The three levels of public responsibility do not define a hierarchical order but rather different ways and tools through which the legislator can deliver on a public good, such as the stability of the financial system, by avoiding the shortcomings and disadvantages of command and control legislation in complex policy fields. With regard to the protection against cyber threats, the responsibility for the stability of the financial system is assumed in close cooperation between the Member States and the EU (Daseinsvorsorgeverbund), and in collaboration with the private sector.⁵⁷

D. General Observations on the Legal Framework for Cybersecurity in the Financial Sector

In light of the foregoing, the question thus arises whether—and to what extent—the current regulatory landscape for cybersecurity in the financial sector already addresses the challenges identified and reflects the requirements established.

Today, the overall legal framework for cybersecurity in the financial sector is characterized by a multilevel structure, a variety of legal sources, and a wide range of different rule makers and involved actors.⁵⁸

I. Multilevel and Multistakeholder Structure

Provisions on cybersecurity in the financial sector exist at the international, European, and national level. They are developed by national and international standard-setting bodies, international organizations, and national as well as supranational legislators and supervisors. In recent years, development activity has increased significantly. The organizational picture is completed by transnational fora and regional, non-governmental, and independent private organizations.⁵⁹ Responsibilities between these actors are not always clearly delineated.⁶⁰

The scope of the various schemes on cybersecurity differs considerably. While some pursue a cross-sectoral approach, others specifically address cybersecurity in the financial sector or even target certain subsectors such as banks or payment systems. A survey of the Financial Stability Board (FSB) conducted in 2017 showed that all member jurisdictions of the FSB, including the EU, address banks and financial market infrastructures, and a majority of jurisdictions address trading venues, insurance companies, broker-dealers, and asset managers.⁶¹

II. Different Regulatory Strategies

In general, cybersecurity in the financial sector is addressed either by targeted provisions on cybersecurity and/or IT risk, or by provisions that address operational risk in financial institutions generally. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or external events.⁶² Among FSB member jurisdictions, sixty-six percent of reported schemes took a targeted approach to cybersecurity, IT risk, or both, while thirty-four percent addressed operational risk generally. For FMIs and banks, the percentages of reported targeted regulatory schemes were seventy-seven and seventy-one percent, respectively.⁶³ In addition, FSB member jurisdictions mainly described their regulatory schemes on cybersecurity as principles-based,⁶⁴ as opposed to rule-based.⁶⁵

III. Various Content Elements

Content-wise, the different schemes and provisions often overlap. Elements that FSB member jurisdictions address most frequently are: Risk assessment; regulatory reporting; role of the board; third-party interconnections; system access controls; incident recovery; testing; training; creation of role responsible for cybersecurity, such as chief information security officer; information sharing; expertise of the board or senior management; and cyber risk insurance.⁶⁶

IV. Different Types of Provisions, Especially: Standards

1. General Overview

Provisions on cybersecurity in the financial sector take very different forms and differ considerably in legal nature and effect. While some instruments impose mandatory requirements, others provide voluntary guidance or combine both.

At the national level, provisions of both legally binding and non-binding nature exist. According to the 2017 FSB survey, all FSB member jurisdictions have publicly released regulations or guidance that address cybersecurity for at least parts of the financial sector.⁶⁷ In jurisdictions where no specific cybersecurity regulation for the financial sector is in place, supervisors encourage financial institutions to implement international standards and guidance.⁶⁸

At the international level, private self-regulatory entities, networks of specialized administrative bodies, and international organizations have developed cybersecurity standards of various forms and legal quality to help improve cybersecurity in the financial sector. Contributing to the risk management of financial institutions, they establish common security requirements and capabilities needed for secure solutions.⁶⁹ These standards play a predominant role with regard to the different types of provisions constituting the legal framework for cybersecurity in the financial sector.

2. Standards

The phenomenon of private self-regulatory entities, informal networks of specialized administrative bodies, and international organizations creating standards is widespread in areas where highly technical and rapidly evolving matters are involved—such as the regulation of financial markets⁷⁰—especially with regard to cybersecurity. Far from being a new phenomenon, stemming from the beginnings of globalization and, therefore, much older than European integration, it is one of the most popular examples for new international and European governance structures.

2.1 Definition and Types of Standards

Standards set out what are widely accepted as good principles, practices, or guidelines in a given area.⁷¹ The standardization of products, services, or processes is traditionally conducted by technical bodies that primarily represent the vested interests with their expertise.

From an implementation perspective, standards differ in their specificity. As fundamental tenets concerning a broad policy area, principles are usually set out in a general way offering a degree of flexibility in implementation to suit country circumstances.⁷²Practices are more specific and concretize the practical application of the principles within a more narrowly defined context.⁷³ Finally, guidelines provide detailed guidance on steps to be taken or requirements to be met in a particular area.⁷⁴ They are specific enough to allow a relatively objective assessment of the degree of observance.⁷⁵

From a practical perspective, international standards can be seen as a “substitute” for hard international law,⁷⁶ making lengthy and costly negotiations between states obsolete.⁷⁷ The expertise involved in the drafting process ensures the development of high-quality standards, which usually leads to high acceptance rates within the community to which they are addressed.

2.2 Legal Effects of Standards and Implementation Paths

As soft law instruments,⁷⁸ standards are not formally binding and do not impose direct obligations on regulators, supervisors, or private entities. On a voluntary basis, however, international standards are often implemented by the industry they are addressed to, thereby developing de facto binding effects.⁷⁹ International standards also frequently serve as a model for legislative and regulatory activity at the national or EU level, either being substantially copied into by incorporation, or dynamically referred to in binding provisions by reference. This way, they contribute to reducing risks of regulatory arbitrage and, depending on the degree of implementation, to achieving at least some degree of international convergence of cybersecurity regulation and supervision in the financial sector.

According to the 2017 FSB survey, all member jurisdictions of the FSB, including the EU, drew upon previously developed international standards when they developed their own cybersecurity regulatory and supervisory schemes for the financial sector.⁸⁰

2.3 Challenges of Private Standard Setting, Especially: Democratic Legitimacy

Against this background—de facto binding effects of standards and standards as a model for subsequent legislative activity—it is of importance that standard-setting processes comply with the minimum requirements of democratic legitimacy.

a) The Notion of Democratic Legitimacy

In academia, different notions of democratic legitimacy are being discussed. Depending on the position taken, the assessment and evaluation of the standard-setting process will differ. Within the scope of this Article, it is impossible to do justice to the rich literature on this topic.⁸¹ Here, an input-orientated notion will be combined with an output-oriented notion of democratic legitimacy.⁸² The input-oriented notion can be summarized as government by the people. Democratic legitimacy is derived from the community of people, whether they are specifically affected by the provisions in question or not.⁸³ Output-oriented notions of democratic legitimacy stress the aspect of government for the people where the outcome of the political process, hence the quality of laws, is of main importance. Under this concept, the participation of experts in order to guarantee “good laws” is wholly accepted, if not required.⁸⁴

b) Minimum Legitimacy Requirements for Standard Setting

Against this background, standards and standard-setting processes that involve experts are, in principle, desirable. Although, they have to fulfill certain minimum requirements. At first, transparency vis-à-vis the public, the European and national parliaments must be ensured. Such transparency must go hand in hand with a formalization of the drafting process through procedural rules, an obligation to state reasons, documentation obligations, and fit and proper requirements for all experts involved.⁸⁵ Comments received must be adequately considered in the drafting process.⁸⁶ Finally, equal participation rights in the consultation process for all interested parties, not only those affected, must be safeguarded, taking account of the different organizability of different interests.⁸⁷

c) Consequences

As long as standard-setting processes do not meet these minimum requirements, even de facto binding effects of standards are problematic. To resolve this problem, standard-setting bodies must make arrangements and adopt procedures in order to comply with the minimum requirements outlined above; or the respective standards must be substituted by statutory provisions adopted in a legislative procedure.

Legislators, however, cannot simply refer to or directly incorporate standards that have not been developed under a procedure that complies with the minimum requirements of democratic legitimacy. Instead, they must carry out an in-depth analysis and own substantive assessment of the respective standards before referencing them or incorporating them in binding legislation.⁸⁸

One may respect the standardization structure as a helpful institutional solution to a regulatory problem, and one should not try to reduce the structure to its public or private aspects. Neither a purely governmental nor a purely civil arrangement seems to work better. But this does not imply that it is impossible to develop mechanisms that address legitimacy problems of standardization more adequately, especially procedures concerning the inclusion of interests and the transparency of the rulemaking process. This benevolent approach accepts standardization bodies as a genuine form of governance that can complement but not substitute government structures.

2.4 Overview of International Cybersecurity Standards

International cybersecurity standards for the financial sector have been developed by many different actors.

a) G7 CEG Fundamental Elements of Cybersecurity for the Financial Sector

In 2016, the G7 Cyber Expert Group (G7 CEG) published its Fundamental Elements of Cybersecurity for the Financial Sector,⁸⁹ a set of high-level principles designed to help address cyber risks facing the financial sector. The G7 has no binding decision making competences and is not an international organization; at most, it is a “soft organization.”⁹⁰ As high-level building blocks, its principles and other publications are frequently concretized into standards that are more detailed and then referred to or incorporated in binding legislation at the EU or national level, known as a “cascade mechanism.”

Based on the 2016 Elements, the 2017 G7 CEG Fundamental Elements for Effective Assessment of Cybersecurity in the Financial Sector⁹¹ provide additional guidance on good cybersecurity practices for institutions. In 2018, the G7 CEG published its Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector⁹² and its Fundamental Elements for Threat-Led Penetration Testing.⁹³

b) CPMI-IOSCO Principles for Financial Market Infrastructures

Specifically addressed to FMIs, the Committee on Payments and Market Infrastructures of the Bank for International Settlements (CPMI)⁹⁴ in 2012 issued, jointly with the International Organization of Securities Commissions (IOSCO), its Principles for Financial Market Infrastructures (PFMI)⁹⁵ in order to harmonize and strengthen the existing international standards for FMIs. CPMI is the global standard-setter for payments, clearing, and settlement; its members are central banks. It does not possess any formal supranational authority.⁹⁶ IOSCO is an international body that brings together the world‘s securities regulators. The PFMI are expressed as broad and flexible principles. In 2016, the PFMI were complemented by the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures.⁹⁷

c) ISO/IEC 27000 Family of Standards on Information Security Management Systems

An important cross-sectoral set of standards for cybersecurity is the ISO/IEC 27000 Family of Standards on Information Security Management Systems⁹⁸ published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The ISO is a non-governmental international organization composed of representatives from 163 national standard bodies. The ISO/IEC 27000 Family of Standards is meant to help organizations develop and implement a framework for managing the security of their information assets and information entrusted to them by customers or third parties.⁹⁹

d) NIST Framework for Improving Critical Infrastructure Cybersecurity

With its Framework for Improving Critical Infrastructure Cybersecurity,¹⁰⁰ the US National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, developed a set of cross-sectoral principles, practices, and guidelines to manage cybersecurity-related risks. By referencing globally recognized standards, the framework can be used not only within the US but also by organizations across the world.

e) Further International Standard Setters

There are several other international standard-setting bodies, associations, and networks that have issued soft law instruments on cybersecurity in the financial sector. The most important of these are: The Basel Committee on Banking Supervision (BCBS),¹⁰¹ an informal network of public authorities in the area of technical expertise; the Organization for Economic Co-Operation and Development (OECD),¹⁰² an international organization; and the Global Financial Markets Association (GFMA),¹⁰³ a forum for the largest globally active financial and capital market participants. Finally, the Information Systems Audit and Control Association (ISACA), an international association, engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems.

E. Cybersecurity in the Financial Sector at EU Level

Having established the broader overall picture of the legal framework for cybersecurity in the financial sector, this Section will analyze the legal cybersecurity landscape within the EU. After a quick look at the scope and limits of EU competences in this area, it will focus on the regulatory framework and the corresponding governance structures for cybersecurity at the EU level.

I. EU Competence Framework

1. EU Cybersecurity Regulation and the Principle of Conferral, Article 5(2) TEU

Under the principle of conferral, the Union shall only act within the limits of the competences conferred upon it by the Member States in the Treaties, and in order to attain the objectives set out therein.

European cybersecurity legislation has already been based on several legal bases in the Treaties.¹⁰⁴ These include the internal market (Article 114 TFEU); the right of establishment and the freedom of services (Articles 62, 53(1) TFEU); the smooth operation of payment systems (fourth ident of Articles 127(2), 132(1) TFEU); and the area of freedom, security, and justice (Article 83(1) TFEU). With regard to coordination at the EU level, a more general legal basis is provided for in Article 74 TFEU.¹⁰⁵

Cyber policy, especially in the context of the protection of critical infrastructures and the guarantee of financial stability, has a security dimension. The Member States, however, are traditionally reluctant to share competences in this regard.¹⁰⁶ Indeed, Article 4(2) TEU points out that the EU shall respect the “essential State functions, including … maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.” Does this preclude any EU action in the field of cybersecurity?

There are strong arguments that this is not the case. Article 4(2) TEU refers only to “national security,” meaning that it does not preclude measures referring to “Schengen security,” defined by cross-border effects of internal security.¹⁰⁷ With cyberspace and cyber aggressions being borderless, there is good reason to assume that cybersecurity is not to be regarded as a purely internal security matter but must rather be assigned to “Schengen security.” This applies a fortiori in the context of guaranteeing financial stability, which itself has a cross-border dimension. Moreover, cybersecurity can be attributed to the area of freedom, security, and justice (Article 67 TFEU), which Art 4(2)(j) TFEU lists as a “shared competence between the Union and the Member States.”¹⁰⁸

What is more, the creation of a Digital Single Market for (financial) services (Art. 114 TFEU), including the establishment of a robust and resilient Banking and Capital Markets Union, is a core task of the EU, which can only be realized in a cybersecure digital environment. Cybersecurity is a conditio sine qua non for the future development of the Digital Single Market. EU competences in these areas, therefore, go hand in hand with EU competences in the field of cybersecurity in its European dimension.

2. EU Cybersecurity Regulation and the Principle of Subsidiarity, Article 5(3) TEU

In areas that do not fall within the exclusive competence of the Union, the principle of subsidiarity must be observed. This also applies to the area of cybersecurity. Union action in this field must, therefore, pass the subsidiary test. In order to pass this test, it is first necessary that the objectives of the proposed action cannot be sufficiently achieved by the Member States (“necessity” criterion), and second, that the action can more successfully be undertaken at the Union level (“added value” criterion). Although compliance must be assessed on a case-by-case basis, some general observations can be made.

Due to the transnational nature of cyber threats and the cross-border interdependencies between network and information systems, unilateral approaches to cybersecurity at Member State level are often inefficient. Diverging national regulatory requirements on cybersecurity in the financial sector also prevent the establishment of a level playing field among financial institutions in the EU and risk leaving legislative loopholes. Finally, in the absence of harmonization, financial institutions with cross-border operations risk having to comply with different regulatory standards in different Member States concerning the same aspect of cybersecurity (together: “necessity” criterion). An EU-wide approach establishing minimum requirements on cybersecurity could, at least to some extent, answer these problems (“added value” criterion). There is thus still sufficient leeway for future European legislation from a principle of subsidiarity point of view.

II. EU Regulatory Framework

Although the impact of cyber threats is still neglected to a remarkable extent, the EU is not entirely unprepared. At the EU level, provisions on cybersecurity in the financial sector are set out in legislative acts, notably regulations and directives; administrative rules, such as delegated acts and regulatory technical standards; and recommendations and guidelines. Due to limited space, it is impossible to establish a comprehensive picture of cybersecurity regulation in the financial sector. The following subsection, therefore, analyzes EU cybersecurity regulation with regard to systemically important payment systems and credit institutions as reference areas.

1. Regulation of Systemically Important Payment Systems (SIPS)

Payment systems facilitate the clearing, settlement, and recording of payments, thereby contributing to maintaining and promoting financial stability and economic growth.¹⁰⁹ As financial markets infrastructures, however, they also concentrate risk.¹¹⁰ If not properly managed, they can become a source of financial shocks or a major channel through which these shocks are transmitted across domestic and international financial markets.¹¹¹

The oversight of payment systems is an essential function of central banks. In the euro area, it is carried out by Eurosystem (Article 127(2) TFEU and Article 3.1 of the Statute of the ESCB and of the ECB). The Eurosystem has set out its oversight objectives in specific oversight schemes.

1.1 Overview of the Different Regulatory Schemes

For a large part, Eurosystem oversight of FMIs is based on the 2012 CPMI-IOSCO Principles for financial market infrastructures (PFMIs) and, regarding cybersecurity, in particular, the 2016 CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures.

a) SIPS Regulation

In 2014 and 2017, respectively, the ECB translated parts of this international standard into the “SIPS Regulation,”¹¹² which applies to payment systems of systemic importance in the euro area operated by both central banks and private operators. Under the SIPS Regulation, the ECB is currently responsible for overseeing TARGET2, EURO1, and STEP2-T. The Banque de France oversees CORE(FR). The SIPS Regulation has been based on Article 127(2) TFEU and Articles 3.1, 22, and 34.1 first indent of the Statute of the ESCB and of the ECB.

As one of only a few provisions in EU law, Article 15(4a) SIPS Regulation, entitled operational risk, explicitly lays down cybersecurity requirements. The paragraph, which has been added to the SIPS Regulation during its amendment in 2017, reads as follows.

A SIPS operator shall establish an effective cyber resilience framework with appropriate governance measures in place to manage cyber risk. The SIPS operator shall identify its critical operations and supporting assets, and have appropriate measures in place to protect them from, detect, respond to, and recover from cyber-attacks. These measures shall be regularly tested. The SIPS operator shall ensure it has a sound level of situational awareness of cyber threats. The SIPS operator shall ensure that there is a process of continuous learning and evolving to enable it to adapt its cyber resilience framework to the dynamic nature of cyber risks, in a timely manner, whenever needed.

b) Cyber Resilience Oversight Expectations for Financial Markets Infrastructures (CROE)

Article 15(4a) SIPS Regulation is complemented by the ECB‘s Cyber Resilience Oversight Expectations for Financial Markets Infrastructures (CROE),¹¹³ which set out detailed best practices to operationalize the rather abstract CPMI-IOSCO guidance. The CROE apply to all categories of payment systems, not only systemically important payment systems.¹¹⁴ Recently, the CROE have been embraced by the World Bank with a view to promoting global harmonization and might, therefore, eventually be used around the world.¹¹⁵

c) General Data Protection Regulation (GDPR)

With a primary focus on ensuring the security of personal data—instead of network and information systems—EU data protection laws such as Articles 32–34 of the GDPR¹¹⁶ require financial entities, including SIPS operators and credit institutions, to implement appropriate technical and organizational measures to prevent a cyber-incident and lay down notification requirements.¹¹⁷

1.2 Critical Assessment

Article 15(4a) SIPS Regulation establishes a clear, legally binding framework for cybersecurity for systemically important payment systems. The provision explicitly addressees governance and the most important cyber risk prevention and mitigation measures, stipulates regular testing, and requires SIPS operators to constantly learn and evolve; in other words, it does not neglect the human element either. Potential cyber risks resulting from the collaboration with third parties are covered in more general terms by Article 15(7) SIPS Regulation requiring a SIPS operator to “identify, monitor, and manage the risks that critical participants, other FMIs, and service and utility providers might pose to the SIPS‘ operations.” Except for requirements on incident notification, the SIPS Regulation thus addresses all essential elements of an effective cybersecurity regulatory framework. In addition, the use of general terms such as “appropriate measures” and the emphasis put on the ability of operators to “adapt [their] cyber resilience framework to the dynamic nature of cyber risks” leaves sufficient room for operators to react with the necessary flexibility to dynamically evolving cyber threats. At the same time, these general terms allow for the development of new, innovative approaches to cybersecurity.

2. Regulation of Credit Institutions

The current regulatory landscape for credit institutions is more complicated. While the NIS Directive, the cyber-incident reporting framework of the ECB, and certain provisions of PSD2 and MiFID II make explicit reference to cybersecurity, other instruments only address cybersecurity on the edge or concern the management of the overall operational risk of a credit institution.

2.1 Overview of the Different Regulatory Schemes

a) NIS Directive

In 2018, Member States, together with the EU, set up a new regime for European cyber-protection. EU Directive 2016/1148, concerning measures for a high level of common security of network and information systems across the Union, is known as the “NIS Directive.”¹¹⁸ To date, the NIS Directive is the only piece of EU legislation that has an exclusive focus on cybersecurity for network and information systems and applies across different sectors.¹¹⁹ Based on Article 114 TFEU, the directive aims at developing a minimum level of cyber capability in all Member States, rather than at the EU level.

The NIS Directive takes account of the essential role in the functioning of economic and social life attributed to operators of essential services and digital service providers. Regarding the financial sector, the NIS Directive applies to credit institutions, operators of trading venues, and central counterparties, when designated as operators of essential services.¹²⁰ Provisions in sector-specific EU legal acts, which—directly or indirectly under the umbrella of operational risk—impose cybersecurity requirements on financial institutions, such as CRD IV, PSD2, and MiFID II, are lex specialis vis-à-vis the NIS Directive provided that they contain requirements that are at least equivalent in effect to the obligations laid down in the NIS Directive.¹²¹

i) Content

Under the NIS Directive, credit institutions concerned must “take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of [their] network and information systems.”¹²² In addition, they have to “take appropriate measures to prevent and minimize the impact of incidents affecting the security of the network and information systems … with a view to ensuring the continuity of those services.”¹²³ “In order to promote convergent implementation [of these requirements], Member States shall, without imposing or discriminating in favor of the use of a particular type of technology, encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.”¹²⁴ Finally, credit institutions must “notify, without undue delay, the competent authority … of incidents having a significant impact on the continuity of the essential services they provide.”¹²⁵

With regard to similar reporting requirements in the United States, the private sector raised the concern that an obligation to notify cyber-incidents increases risks of civil liability, regulatory liability, or both and advocated for clearly defined liability protections.¹²⁶ The NIS Directive took up this concern and clarified, “notification shall not make the notifying party subject to increased liability.”¹²⁷

ii) Critical Assessment

The provisions of the NIS Directive are very broad and abstract.¹²⁸ While such an open formulation leaves room for credit institutions to react with flexibility to dynamically evolving cyber threats, it also leaves them with uncertainty as to the cybersecurity standards to implement, especially when there is more than one standard available. Not only does this mean that there is a conflict with the principle of legal certainty, but it also is cause for concern inasmuch as competent authorities have the competence to “issue binding instructions to the operators of essential services to remedy the deficiencies identified.”¹²⁹

What is more—and unlike the SIPS Regulation—the high-level provisions of the NIS Directive do not sufficiently ensure the implementation of all essential elements of an efficient cybersecurity regulatory framework. For example, operators of essential services are not explicitly required to implement regular testing, internal control mechanisms, or to ensure regular staff training and continuous learning. In addition, the NIS Directive provides only minimum harmonization.¹³⁰ Cybersecurity requirements for credit institutions can, therefore, still diverge significantly from one Member State to another, resulting in very different levels of protection and preparedness, entailing a risk of regulatory arbitrage.¹³¹ This is particularly problematic in that mutual trust and reinforced cooperation can be built only on a level playing field, which a “minimum level” of requirements and engagement cannot achieve. Finally, law enforcement bodies play a very limited role in the directive, although collaboration between the different cybersecurity communities is of vital importance.¹³²

b) Cyber-Incident Reporting Framework

In 2017, the ECB published a cyber-incident reporting framework that applies to all banks under the direct supervision of the ECB and, therefore, to all significant institutions from the nineteen euro-area countries. Under this framework, banks are required to report significant cyber-incidents to the ECB as soon as they detect them. In Member States where such an incident reporting process was already in place, banks will continue to report incidents to the national supervisors, who will then forward them to the ECB.¹³³

c) CRD IV, CRR, PSD2, and MiFID II

i) CRD IV and CRR

Pursuant to the CRD IV,¹³⁴ credit institutions shall “implement policies and processes to evaluate and manage the exposure to operational risk,”¹³⁵ put in place “contingency and business continuity plans,”¹³⁶ and “shall have robust governance arrangements” as well as “adequate internal control mechanisms.”¹³⁷ Although these provisions do not explicitly reference cybersecurity but address operational risk in general, the management of cyber risks is broadly expected to be covered by these terms. To supplement the provisions of CRD IV, the EBA has issued a set of guidelines,¹³⁸ including a specific guideline on outsourcing arrangements.¹³⁹ The Capital Requirements Regulation (CRR)¹⁴⁰ contains relevant provisions in Articles 288, 320–322, and 368.¹⁴¹

ii) PSD2

In their capacity as payment services providers, credit institutions must observe the requirements of PSD2.¹⁴² With regard to third-party risks, the directive stipulates, “outsourcing of important operational functions, including IT systems, shall not be undertaken in such way as to impair materially the quality of the payment institution‘s internal control.”¹⁴³ Moreover, PSD2 requires payment service providers that apply for authorization as a payment institution to “indicate how they ensure a high level of technical security and data protection … for the software and IT systems ….”¹⁴⁴ Apart from these explicit references to cybersecurity, the management of cyber risks is only indirectly covered by provisions on the management of operational and security risks of a payment services provider,¹⁴⁵ and on notification requirements in case of a major operational or security incident.¹⁴⁶ In order to supplement the provisions of the PSD2, the EBA, in close cooperation with the ECB, has issued a set of guidelines.¹⁴⁷ In addition, the “EBA shall promote cooperation, including the sharing of information, in the area of operational and security risks associated with payment services among the competent authorities, and between the competent authorities and the ECB and, where relevant, the ENISA.”¹⁴⁸

iii) MiFID II

When providing one or more investment services, performing investment activities, or both, credit institutions must also observe certain provisions of MiFID II,¹⁴⁹ including Article 16 MiFID II.¹⁵⁰ Under this article, a credit institution “shall employ appropriate and proportionate systems, resources, and procedures”¹⁵¹ and must establish “internal control mechanisms, effective procedures for risk assessment, and effective control and safeguard arrangements for information processing systems.”¹⁵² Moreover, “sound security mechanisms [must be] in place to … minimize the risk of data corruption and unauthorized access and to prevent information leakage.”¹⁵³ MiFID II also addresses third party risk management. In this regard, a credit institution “shall ensure, when relying on a third party for the performance of operational functions … that it takes reasonable steps to avoid undue additional operational risk.”¹⁵⁴ In order to specify the concrete requirements in this context, the Commission has adopted a delegated regulation.¹⁵⁵

2.2 Overall Assessment

Too many cooks spoil the broth. This wisdom also applies to cybersecurity regulation for credit institutions. The regulatory landscape in this area is composed of various legal instruments of both legally binding and non-binding quality, which have been adopted by many different regulators. Fragmentation of requirements for credit institutions across the NIS Directive, CRD IV, PSD2, and MiFID II leads to a lack of clarity. Overlapping or duplicative requirements entail a risk of inconsistency. This is problematic because legal clarity and consistency are necessary to ensure a level playing field for financial institutions. There also is a high degree of fragmentation in the level of detail, specificity, and terminology of the relevant provisions.¹⁵⁶ This can adversely affect credit institutions that are subject to more than one of the aforementioned legal acts.

As in the NIS Directive, the relevant provisions of CRD IV, CRR, PSD2, and MiFID II are very high level. In addition, most of them are not explicit on cybersecurity, but only address the management of the general operational risk of a credit institution. More specifically, cybersecurity-related requirements are laid down in only supplemental, non-binding guidelines. Preferably, cybersecurity should be regarded as an independent risk management category in need of more explicit, mandatory rules that ensure that every relevant entity is subject to specific cybersecurity requirements.

With regard to incident notification, many different reporting schemes exist at both the national and EU levels. Some of these schemes are governed by sectoral legislation, others by cross-sectoral legislation, such as the NIS Directive and the GDPR.¹⁵⁷ The schemes differ in scope, addressees, terminology, and requirements (for example, different timeframes). They also designate different recipients of the reported information. For some incidents, the frameworks overlap.¹⁵⁸ An additional source of complication stems from differences in reporting templates. This can become burdensome, especially in time-critical environments.¹⁵⁹

Finally, there are no legally binding provisions¹⁶⁰ that specifically address third-party concentration risk.

III. EU Cybersecurity Governance Structures

European governance of cybersecurity is rather decentralized.¹⁶¹ With regard to the EU public sector, relevant bodies can be assigned to the three different areas of cybersecurity: Network and information security, cybercrime, and cyber defense.

1. Network and Information Security

1.1 ENISA

With ENISA, the EU has a dedicated agency in the field of cybersecurity. ENISA, originally established in 2004, pursues mid and long-term objectives. It aims to raise awareness and assist the EU, Member States, and public and private stakeholders develop and improve cyber resilience and response capacities, including building of Computer Emergency Response Team (CERT) capacities. ENISA also organizes the pan-European cyber crisis exercise that simulates a crisis scenario caused by a large number of cybersecurity incidents.

With the entry into force of the EU Cybersecurity Act (ECA)¹⁶² in June 2019, ENISA has been provided with a new permanent mandate, a reinforced role in cybersecurity with new tasks, and additional financial and human resources. Most importantly, ENISA will be responsible for the preparation of European cybersecurity certification schemes, which will serve as the basis for certification of ICT products, processes, and services. In addition, ENISA will continue to support the coordination of responses to large-scale cyber-attacks and crises, in cases where two or more Member States are concerned. Still, ENISA has no direct intervention powers.

1.2 CERT-EU, CSIRTs, Cooperation Group, CSIRTs Network and FIRST

The Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU) deals with concrete information security incidents and cyber threats. However, for the time being, it provides its services only to EU institutions and has limited resources.¹⁶³

Under the NIS Directive, each Member State shall set up a national Computer Security Incident Response Team (CSIRT) for handling risks and incidents¹⁶⁴ and must designate or establish authorities competent to monitor the NIS Directive‘s application as well as a single point of contact.¹⁶⁵ To date, respective national structures still diverge significantly in form, function, and equipment.

According to the NIS Directive, CERT-EU will become a member of the CSIRTs network, together with the national CSIRTs.¹⁶⁶ This CSIRTs network will promote the possibility of voluntary operational cooperation. In addition, a “Cooperation Group,” composed of representatives of the Member States, the Commission, and ENISA, will provide strategic guidance to the CSIRTs network and shall also coordinate the exchange of best practices among the Member States.¹⁶⁷ Outside the scope of the NIS Directive, collaboration within the European CSIRT community takes place in the TF-CSIRT.¹⁶⁸

Computer Emergency Response Teams do not only exist at the public level but are also set up in-house in private firms and organizations. The Forum of Incident Response and Security Teams (FIRST) brings together a variety of CERTs from governments and non-governmental organizations and businesses. FIRST aims to foster cooperation and coordination in incident prevention and to promote information and experience sharing concerning attacks and malware, while building professional relationships of trust.¹⁶⁹

1.3 Actors in the Financial Sector in Particular

With regard to cybersecurity in the financial sector, the European Supervisory Authorities (ESAs), the ECB, the Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB), and the European Financial Institutes Information Sharing and Analysis Centre (European FI-ISAC) stand out. The ESAs and the ECB are involved in the daily supervision of financial market participants, which also concerns cybersecurity, and they are active in the field of rulemaking, issuing binding rules and soft law. The ECRB is a forum for strategic discussions, collaboration, and sharing of best practices between pan-European FMIs, their critical service providers, and public authorities.¹⁷⁰ Facilitated by the ECB, it has no formal powers to impose binding measures and does not make supervisory judgments.¹⁷¹ With a similar focus, the mission of the European FI-ISAC is to exchange information on ICT related topics, including cybercriminal activity affecting the financial community, vulnerabilities, technology trends, incidents, and case studies.¹⁷² The European FI-ISAC is composed of country representatives from the financial sector, CSIRTs, and Law Enforcement Agencies. The equivalent of the European FI-ISAC at the global level is the Financial Services Information Sharing and Analysis Center (FS-ISAC).

2. Cybercrime: European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) at Europol provides important operational support and training to the Member States and has become the first hub for expertise on cybercrime operations. In this regard, the EC3 is a victim of its own success. Given the importance and recognition it has gained since its creation in 2013, it is already understaffed and needs to see significant enforcement of resources.¹⁷³

3. Cyber Defense: European Defence Agency (EDA) and EU Military Staff

The role of the EU in cyber defense is largely limited to an advisory function, leaving the operational and strategic realities of defense to the Member States.¹⁷⁴ The European Defence Agency (EDA) supports the capability development in cyber defense in the Member States and encourages greater cooperation in this field. The EU Military Staff brings cyber expertise to military strategic planning in the Common Security and Defence Policy (CSDP) military operations and missions.¹⁷⁵

4. Assessment of the Governance Structures

The EU‘s current approach to cybersecurity is siloed within various institutions, actors, and initiatives, and it is characterized by a lack of clearly delineated areas of responsibility.¹⁷⁶ There are coordination problems between and within these silos. Certain capabilities and mandates are duplicates. Interaction between the different cyber-communities proves difficult for technical, legal, and cultural reasons. This puts major limitations to the fight against cyber-attacks because it cannot be solved by looking only at the contaminated devices, as the CERT community would, but can only be fully understood by observing the big picture, as only police and law enforcement can.

At the Member State level, CERT structures diverge significantly in form and function.¹⁷⁷ The NIS Directive has changed little in this regard because it only provides for minimum harmonization and has a limited scope of application. Different levels of cyber maturity and preparedness are another hurdle to the fight against cyber-attacks. Not only is it difficult to achieve smooth cooperation between the different cyber-communities, but even at the level of a specific community, like the CERT community, it proves delicate to enforce cross-border exchange and cooperation among different national structures.

Until the establishment of the CSIRTs network and the Cooperation Group, cooperation among governmental CERTs took place only in the European Government CERTs group (EGC group), an informal association of governmental CERTs in Europe composed only of the authorities of the most capable states,¹⁷⁸ and the Central European Cyber Security Platform (CECSP).¹⁷⁹ In the past, both groups were reluctant when it came to widening their circle. The very functioning of everyday life and business is at stake here, and cyber threats do not know a geographical dimension. States, therefore, trusted and wanted to open up to systems that are only as safe as their own; at the same time, however, it is also the reason why cross-border cooperation is indispensable.

It is at least questionable whether the CSIRTs network and the Cooperation Group will change things up in this regard because the underlying problems—notably, heterogeneity in the level of maturity—remain largely the same, and cooperation within the new structures is still voluntary to a large extent.

F. Reform Perspectives for Cybersecurity Regulation and Governance in the Financial Sector

Owing to their transnational nature, a global answer to cyber threats is often advocated.¹⁸⁰ Therefore, it is not surprising that the idea to adopt an international regulatory framework on cybersecurity in the financial sector has already been brought forward.¹⁸¹ In order to ensure implementation and to create a level playing field, such a framework would need to be legally binding. Currently, however, the conclusion of an international treaty or a similar, binding global agreement in a highly technical and sensible area such as cybersecurity does not seem very likely.¹⁸² Yet, at the EU level, the adoption of a legally binding regulatory framework on cybersecurity in the financial sector is conceivable. In the most general sense, the EU‘s strength is to facilitate coordination and cooperation between the Member States; harmonize policies and agendas; and encourage the pooling or aggregation of resources, capabilities, and responsibilities.¹⁸³

A potential reform at the EU-level could start with the adoption of a European Single Cybersecurity Rulebook for the Financial Sector. Better cooperation and information sharing within the private sector, between the private and the public sector, and among public authorities would also need to be addressed. In this context, the creation of a European Cybersecurity Platform could be considered.

I. Adoption of a European Single Cybersecurity Rulebook for the Financial Sector

In order to address the current fragmented and heterogeneous regulatory landscape for cybersecurity in the financial sector, provide legal certainty, establish a level playing field among financial institutions, and ensure a comparable level of cyber resilience maturity of financial sector participants, a European Single Cybersecurity Rulebook for the Financial Sector could be adopted.

Based on Article 114(1) TFEU, the Single Rulebook would establish specific and coherent cybersecurity requirements and use consistent terminology. It would apply to every financial participant, regardless of its significance or size.¹⁸⁴ As its name implies, the Cybersecurity Rulebook would address cybersecurity as an independent risk management category and take the form of a regulation or a directive providing for full harmonization.

Admittedly, having one solitary rulebook for the broad range of financial institutions, of different sizes, would be difficult. It might end up being very high level, leading to supervisors taking very different approaches to assessing compliance with its provisions. The proposed Single Rulebook is, therefore, not to be understood as a “one-size-fits-all” solution, but rather as a framework of reference providing common cybersecurity pillars for every subsector of the financial sector.

1. Substantive Provisions

1.1 Content

With regard to its substantive provisions, the Single Cybersecurity Rulebook would cover all vital elements of an effective cybersecurity regulatory framework, including, but not limited to, the prevention and detection of, the response to, and the recovery from a cyber-attack. Article 15(4) SIPS Regulation and Article 14(1) to (3) NIS Directive could serve as an example in this regard but would need to be complemented by more specific provisions and requirements. The power to adopt technical specifications would be delegated to the Commission, which would be supported by ENISA and the ESAs.

a) Penetration-Testing and Red Teaming

Specific provisions on cross-border and cross-authority system penetration testing and red teaming could be built on already existing instruments such as the ECB‘s TIBER EU-Framework for Threat Intelligence-based Ethical Red Teaming¹⁸⁵ or the G7 CEG 2018 Fundamental Elements for Threat-Led Penetration Testing.¹⁸⁶

b) Management of Third Party Cyber Risks

The management of third-party cyber risks, especially regarding interconnections with cloud services providers and related concentration risks, should also be addressed in more specific and legally binding rules. These could be built on the G7 CEG 2018 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector.¹⁸⁷ If the adoption of outsourcing guidelines or enabling supervisor‘s access onsite proves insufficient to mitigate cyber risks stemming from third-party interconnections, direct supervision of third-parties would be a conceivable solution.

c) Consistent Incident Notification Schemes

Moreover, consistent incident notification requirements should be introduced for all financial sector participants.¹⁸⁸ These requirements should ensure that the same entity is not subject to different reporting timeframes or must use different reporting templates. Requirements should also take into consideration suitable criteria for incidents to be reported, in addition to specifying the recipients of incident reports.¹⁸⁹ Finally, the reporting of not only incidents but also of tactical and strategic information should be considered, but remain voluntary.

1.2 Regulatory Technique

With regard to the regulatory technique to be used in the Rulebook, the legislator would be required to build in flexibility into regulation in order to promote the agility and adaptability of businesses and institutions,¹⁹⁰ thereby enabling them to continually improve themselves against an ever-changing threat landscape.¹⁹¹ In order to achieve greater flexibility, the legislator can make use of different tools.

a) Binding Objectives and Focus on Outcomes

Probably the most important tool to enhance flexibility and to promote agility and adaptability through regulation is to focus on outcomes. To this end, principle-based regulation defines binding objectives which set a target and the criteria to be followed to achieve compliance, instead of prescribing the exact mechanisms by which compliance is obtained.¹⁹² Principle-based regulation induces the development of new, cost-effective methods and techniques to comply. What is more, setting targets without prescribing the methods avoids the risk of creating lock-ins. Lock-ins may occur if the regulatory requirements refer to a specific technique to meet a target, leaving no room for other techniques or methods. By contrast, rule-based regulation stipulates not only the target but also how to meet the target. Such an approach requires the regulator to provide a very specific set of rules. Rule-based regulation is usually easier to control and enforce by the authorities, precisely because it is rather inflexible and standardized. But it hardly sets incentives for companies to develop their own approaches to meet the target.

The principle-based approach aims to counter the box-ticking mentality often reproached to rule-based regulatory systems. Risk regulation—like cybersecurity¹⁹³—cannot fully be conceived ex ante but needs regular and speedy adjustments ex post. Under the principles-based approach, regulated entities will have increased flexibility in how they deliver the outcomes that the regulator requires, and many will find a closer fit between meeting their business objectives and meeting regulatory requirements.¹⁹⁴ Wherever possible and appropriate, the provisions of the Rulebook should, therefore, be principle-based.

b) Sunset Clauses

Sunset clauses are a way to react to a rapidly changing world that the legislator often has difficulties keeping up with. Sunset clauses can be defined as legal or regulatory clauses that shall be extinguished after a fixed period, except if the renewal of the clause is requested.¹⁹⁵ Sunset clauses bear a resemblance to experimental legislation because they enable the legislator or regulator to “try out” new regulatory approaches. This can be useful in a situation of great uncertainty and lack of information. When little is known about a situation, a temporary legislative measure can be a better option than no legislative adjustment to the situation. What is more, sunset clauses may ease the decision of the legislator because the decision is easily extinguished. Lawmakers can use sunset clauses to gather information and experience. For these reasons, sunset clauses can encourage quicker legislative or regulative changes in dynamic fields or under uncertain circumstances.

2. Supervisory Structure

At the supervisory level, current structures would remain largely unchanged. In particular, all European and national supervisors currently responsible for the financial supervision of a certain subsector or parts of it would continue to supervise that subsector, including oversight of cybersecurity requirements. They would, however, apply the new Cybersecurity Rulebook. As opposed to a conceivable “single cybersecurity supervisor” for the entire financial sector, sector supervisors have specific knowledge of the particularities of their area and the entities they supervise. But they might not all be cybersecurity experts. In their daily supervision, they would, therefore, be advised and supported by both European and national cybersecurity competence centers to be composed of experts and staff with a dedicated IT background and an in-depth knowledge of cybersecurity. Regarding their institutional structure, the competence centers could be set-up within existing organizations with a similar focus, like ENISA or EU and governmental CERTs, or as an independent organization.

II. Reinforcement of Cooperation and Information Sharing

Within the EU, considerable rhetorical emphasis is put on the development of a common approach to cybersecurity based, among others, on the enhancement of cooperation and information sharing among actors and policies.¹⁹⁶ At its current state, however, the EU is insufficiently prepared. The same information is usually passed through different sources; various groups process information and act in parallel. Overall, coordination must be improved, and existing resources at all levels must be pooled.¹⁹⁷

1. Within the Private Sector

Within the private sector, cooperation and information sharing is currently voluntary. There are limited incentives to reveal cyber-incidents or related information to other firms. Apart from competition concerns, many firms do not have the trust of all other players and will be reluctant to share sensitive information.¹⁹⁸ Legal constraints, such as confidentiality, banking secrecy, and data protection, further inhibit information sharing. In order to encourage cooperation and information sharing—and having recourse to the concept of “Auffangverantwortung”¹⁹⁹—regulators could provide a legal framework that guarantees the confidentiality of firm-specific information, for example, through the anonymization or aggregation of information shared. Such measures would also reduce concerns of increasing insurance premiums or adverse effects on an institution‘s reputation or competitive position. Exemptions from contractual, tort, and regulatory liability regimes, such as the one stemming from the GDPR, could be discussed as well. Finally, a European Cybersecurity Platform with different sub-platforms could be set up to allow smaller groups of firms to share information based on mutual trust freely. This will need to be a gradual process. State intervention and mandatory information sharing within the private sector should be considered only if the voluntary collaborative approach led to obvious shortcomings.

2. Between the Private Sector and Public Authorities

Private institutions and public authorities exchange information through several mandatory incident notification schemes and cooperate on a voluntary basis in public-private partnerships and networks such as the ECRB and the European FI-ISAC. While private firms typically know more than outsiders about the architecture of their systems and its potential weaknesses, the government, via their intelligence services, typically knows more than private firms about cyber threats stemming from foreign governments.²⁰⁰ Looking ahead, there needs to be a mind-shift to move beyond incident reporting towards also sharing ex ante operational, tactical, and strategical threat intelligence.²⁰¹ Such a mind-shift could be realized through the creation of a European Cybersecurity Platform.

3. At the Public Level

At the public level, organizations like ENISA, the EGC group, the CECSP, or the CSIRTs network and the Cooperation Group have a mandate to facilitate cross-border and cross-sectoral cooperation and information sharing among national and European authorities. Information to be shared should include cyber-incidents and operational, tactical, and strategical threat intelligence. One major obstacle to information sharing at the public level is, however, that the Member States often consider these kinds of information confidential and do not want to share it for national security reasons. In order to enhance Europe‘s position as a world leader in the digital economy and to create a Digital Single Market for financial services and goods, they must open up in this regard eventually.

Finally, the reporting of cyber-incidents affecting civil society and individuals must be facilitated in order to have sufficient awareness of the cybersecurity landscape in Europe and of the emergence of new vulnerabilities and threats. Member States should be encouraged to establish national helpdesks, for example, a national cybersecurity officer.

III. Integrating the Financial Sector in a European Cybersecurity Platform

To this end, a common EU body for sharing intelligence, analyzing cyber threats, and providing strategic reports could be established.²⁰² Its task would be to “connect the dots” in the currently fragmented institutional cybersecurity infrastructure within the EU and its Member States on the one hand, and public authorities and the private sector on the other. Taking account of the security prerogative of Member States, the Platform would not assume executive competences.

1. Rationale

As a starting point, an efficient response to cyber-attacks requires the development of strategic capabilities at the EU level, such as expertise, information checking and analysis, and scenario and threat assessment. At the operational level, this would allow to close information gaps of national law enforcement authorities, providing them with the necessary information to tackle threats and prevent attacks. On this basis, a wide range of operational responsibilities, from incident response and investigation support to coordination and frontline operations, could be developed at Member States level by public authorities and in close cooperation with private actors.

The idea is thus to task a body, which is not intended to replace but to support the relevant actors in the Member States and at the European level. For instance, support would mean providing a hub to share information and expertise between national cybersecurity services across all Member States, and compiling “overall assessments” on cyber threats and changing modus operandi of cyber-attacks from a European perspective. The National Cyber Security Centre in the United Kingdom (NCSC UK) or the Nationaal Cyber Security Centrum in the Netherlands (NCSC NL) could serve as an example in this regard.

At the European level, this task could be implemented by a European Cybersecurity Platform. Such a platform could merge information deriving from the relevant actors active in all three areas of cybersecurity in order to depict a “European picture of cybersecurity.” On this basis, it could provide a platform to jointly elaborate holistic responses to all kind of cyber-attacks within the EU. Such an independent strategic analysis and assessment of collectively shared information may contribute to creating a joint European perception of threats and challenges in the field of cybersecurity and provide common situational awareness among national authorities and the private sector.

Member States and private actors are far more likely to seek bilateral cooperation with like-minded actors. For this reason, it is highly important to establish a constant platform where different ideas on how to counter cyber-attacks can be discussed with the aim of defining common approaches to cybersecurity. In this context, the European Cybersecurity Platform‘s analysis and strategic reports may deliver the necessary evidence for a constructive discussion. Functioning as a type of intermediary between the relevant actors, the Platform would rapidly gain experience in synchronizing preventive and repressive policies and guaranteeing that authorities complement each other instead of operating in parallel.

2. Operational Tasks

At the operational level, the European Cybersecurity Platform could make sure that national law enforcement authorities are provided with joint operational expertise. Based on the information provided, national authorities could adapt their investigative strategies as well as their preventive measures and could increase the effectiveness of their work. In this regard, Joint Investigation Teams could provide a ready-made framework for cooperation between national law enforcement authorities to implement operational measures.

The task of “connecting the dots” could be fulfilled gradually. As a first step and absolute precondition, the European Cybersecurity Platform would have to receive information held by EU actors as well as public and private actors at the national level. Such information would have then to be evaluated by the Platform in order to issue preventive “overall assessments” of cyber threats within the EU and to provide national authorities with realistic appraisals of situational developments and strategic recommendations. Additionally, the Platform would have to provide a framework for pooling this information among national authorities and EU bodies and could potentially accompany the implementation of the information it generated on the ground.

Privacy and competition-related concerns in the context of information exchange could be alleviated, at least to some extent, through the distribution of summary or aggregated data. Article 83(1) EMIR,²⁰³ according to which “no confidential information … shall be divulged to any person or authority, except in summary or aggregate form,” could serve as an example in this regard.²⁰⁴

3. Organizational Structure

The Platform would be composed of the head of ENISA, the head of the EU Intelligence and Situation Centre (INTCEN), a high representative from the Commission—for example a European Cybersecurity Coordinator working under the authority of its President or the Commissioner for the Security Union—²⁰⁵ a representative of the CSIRTs network and the Cooperation Group and the representatives of different communities—like the financial sector—organized in specific sub-platforms.

It would be assisted by a small secretariat, composed of staff seconded from the relevant services of the Member States, from the Commission, and from the participating agencies. The Platform would meet once a month and issue monthly reports on connecting the dots that would bring together intelligence and operational expertise and knowledge.

At a certain point, however, the Platform could become too limited in its capacity and could make judicial and parliamentary review more difficult, which is of relevance particularly in a context where fundamental rights are at stake. Therefore, it is of utmost importance to guarantee efficient forms of accountability and judicial review. For that reason, in due course, the Platform could evolve into an independent body, such as an agency.

G. Conclusion

Cybersecurity in the financial sector is a dynamic and evolving policy field with unique challenges and specific characteristics. Among these characteristics, the strong involvement of private stakeholders in the rulemaking process stands out. This is all the more remarkable because the involvement of private parties in a security-related policy field is rather unusual. It is, however, of considerable benefit as long as it is guided by a clear legal framework.

In our modern society, only digital security and resilience will enable businesses to fully benefit from the value of data and the new information technology more generally. The EU, assuming its role as an important cybersecurity actor and recognizing the importance of cybersecurity regulation for the creation of a Digital Single Market for financial services and the resilience of the Banking and Capital Markets Union, has adopted different pieces of cybersecurity legislation which largely benefitted from previous work of private standard setters. While this was an important first step to improve cybersecurity in the financial sector, the Article has shown that the current EU regulatory landscape for cybersecurity, including overall governance structures, still has considerable weaknesses. In order to address these weaknesses, this Article put forward the adoption of a Single Rulebook for Cybersecurity in the Financial Sector and the creation of a European Cybersecurity Platform.