The WFE’s response covers a number of key areas including:

Information and communications technology (ICT) and security risk management framework based on key common principles: The WFE believes that internationally recognised common principles and standards are key to ensuring that the global markets and firms which engage with the EU, and beyond, are well positioned to understand the requirements that are made of them. The consideration of existing frameworks, such as NIST and ISO, would be key for compliance with any such proposal.
ICT and security incident reporting: The WFE notes that market infrastructures in the EU are currently subject to strict incident reporting requirements, mandated by the National Competent Authority (NCA) in the jurisdiction they operate. Changing the approach to create a centralised, harmonised reporting structure for the EU might introduce problems due to a potential lack of background information or context and non-familiarity with local markets. The WFE is, however, supportive of a move towards harmonising security testing requirements, given the cross-border nature of the threat and the likelihood of an organisation needing to operate in more than one jurisdiction. The WFE would also support efforts to promote an international standard (i.e. one that is globally applicable and adoptable) for security-testing requirements, based on a principles- and outcomes-based approach.
Communication between supervisors: Whilst the WFE supports the sharing of information between public authorities, it advocates that this be ad hoc, high-level and thematic, rather than a standing mechanism to exchange detailed reports, incident by incident. It argues that the former would not only be more effective but also would not run against confidentiality requirements (with respect to reporting financial entities).

Nandini Sukumar, Chief Executive Officer, WFE said: “As the stewards of global public markets, ensuring their continued stability and safety, members of the WFE operate at the very highest level in terms of digital operational resilience. The WFE therefore welcomes the opportunity to engage with the EU Commission’s work in this area, and supports policymakers and the wider industry’s efforts to enhance operational resilience and to improve practices across the whole of the financial services sector.”

The WFE operates a dedicated cyber security working group (GLEX) to promote the sharing of information and to generate best practice among the industry. The WFE is always open to discussing what the sector is doing and how its members share information and best practice, with the EU, other regulatory jurisdictions, and the international standard setters.