Europe's financial supervisory authorities have advised against the introduction of a coherent cyber resilience testing framework for the continent's market participants and infrastructures - at least in the short term.
The European Supervisory Authorities - the EBA, EIOPA and Esma - were asked by the European Commission to weigh in on the costs and benefits of such a framework as part of the EC Fintech Action Plan.
In their advice, the ESAs say that there are "clear benefits" to such a framework but there are "significant differences" across and within financial sectors when it comes to the maturity of cybersecurity, meaning that a one-size-fits-all approach is difficult in the short term.
Instead, the ESAs suggest focusing on a minimum level of cyber-resilience across sectors that is "proportionate to the needs and characteristics of the relevant entities".
The advice does suggest a voluntary EU-wide testing framework, together with other relevant authorities taking into account existing initiatives.
The EC also asked the ESAs to provide advice on the need for legislative improvements relating to ICT risk management requirements.
Here, the advice calls for the streamlining of aspects of the incident reporting frameworks across the financial sector and also suggests a legislative approach to helping monitor the activities of critical third party service providers.
While welcoming many aspects of the advice, Lorraine Johnston, regulatory counsel at law firm Ashurst, highlights one "glaring" omission: the lack of advice relating to board governance of ICT and cyber resilience.
Says Johnston: "Until ICT and cyber security sit squarely as a board level responsibility, some of these issues will remain to be seen as 'IT helpdesk' problems."