The revised Guidelines optimise and simplify the reporting process and templates, focus on incidents with significant impact on payment service providers (PSPs), and improve the meaningfulness of the information to be reported. The revised Guidelines are also estimated to reduce the reporting burden for PSPs.

In accordance with PSD2, PSPs are required to report to the competent authority in their home Member State major operational or security incidents, which have or are likely to have an adverse impact on the provision of payment services.

These revised Guidelines introduce changes to some of the original classification criteria and introduce a new criterion on the breach of security of network or information systems, which, following the feedback from the public consultation, was narrowed down in scope from ‘breach of security measures’, as originally proposed. This new criterion focuses on malicious actions that have compromised network or information systems related to the provision of payment services and it would allow the reporting of additional security incidents that would be of interest to supervisors.

To reduce the reporting burden on PSPs, the EBA removed unnecessary steps from the reporting process and allowed more time for the submission of the final report. The EBA also simplified and optimised the standardised reporting template. These changes are estimated to result in a reduction of the reportable incidents by more than 10% and to facilitate PSPs in their reporting of major incidents.

The Guidelines will apply as of 1 January 2022.
Legal basis and background

Article 96(3) of Directive (EU) 2015/2366 on Payment Services in the Internal Market (PSD2) confers on the European Banking Authority (EBA) the mandate to develop, in close cooperation with the European Central Bank (ECB), Guidelines addressed to payment service providers on the classification and notification of major operational or security incidents, and to competent authorities on the criteria to assess their relevance and the details to be shared with other domestic authorities. Article 96(4) of PSD2, in turn, requires the EBA, in close cooperation with the ECB, to review the Guidelines on a regular basis and in any event at least every 2 years.

The original Guidelines on major incident reporting were developed in 2017 in close cooperation with the European Central Bank (ECB) and have applied since January 2018. The EBA launched the review of the Guidelines in 2020 by assessing the reports it had received by then.

The EBA acknowledges the ongoing negotiations of the EU Commission’s proposal for an EU regulatory framework on digital operational resilience (DORA), which contains, inter alia, a proposal to harmonise and streamline the reporting of ICT-related incidents, not only for payment services but across the entire EU finance sector. The EBA will continue monitoring these negotiations. Depending on their outcome, the EBA Guidelines may eventually be repealed and replaced with the DORA Regulation, which is currently estimated to apply from 2024.