European Banking Authority consults on revisions to GL on PSD2 major incident reporting

2020/10/14

The European Banking Authority (EBA) launched a public consultation (to run until 14 December 2020) on proposed revisions to the guidelines (GL) on major incident reporting under the Payment Service Directive (PSD2), to optimise and simplify the reporting process, capturing additional relevant security incidents, reducing the number of operational incidents to be reported, and improving the meaningfulness of the incident reports received. The consultation paper (CP) proposes the introduction of the new incident classification criterion ‘breach of security measures’ to capture security incidents where the breach of the security measures of the payment service provider has an impact on the availability, integrity, confidentiality and/or authenticity of the payment services related data, processes and/or systems. It also introduces changes to the thresholds for the calculation of the criteria ‘transactions affected’ and ‘payment service users affected’. The EBA suggests the use of a standardised file for reporting major incident reports, streamlining the reporting template, and adding further granularity to the reported causes of incidents and aligning those to other incident reporting frameworks in the EU. The EBA also proposes to remove the regular updates on the intermediate report and to extend the deadline for submission of the final report.