Exchanges play an important role in promoting the stability of the financial system and are taking several measures to ensure their cyber resilience. This function is already subject to supervision by competent authorities. While there is a need for a coordinated approach on cyber-resilience, it is important that flexibility to innovation is safeguarded and ‘one-size-fits-all’ procedures are not put in place.
FESE would caution against overly prescriptive measures and advocate for solutions that ensure the necessary flexibility to meet the individual needs of exchanges, the markets they service, and the challenges/threats they face. Any requirement to disclose details on cyber resilience should therefore be assessed in a careful manner to ensure sharing of such information does not unintentionally better equip potential attackers, thereby increasing cyber resilience-related risk. A potential approach should be sufficiently broad to encompass multiple cyber risks and avoid recommending specific, overly prescriptive, and quantitative parameters.
Direct supervision at central level of financial entities
- FESE would not support an EU-wide cybersecurity system for all financial entities
- Financial market infrastructures are already subject to EU regulation (including MiFID II/MiFIR), national requirements and follow well-established international standards.
- A centralised reporting structure may introduce problems due to lack of detail and familiarity with local markets.
- The principles of proportionality and subsidiarity should be considered and focus should be on strengthening supervisory convergence to ensure there is a level playing field across the EU