Back

Cyber resilience

Cyber risk is one of the foremost threats to the operational resilience and business continuity of payment systems and financial infrastructures in general. In response, the Governing Council of the European Central Bank (ECB) has defined a strategy for the Eurosystem’s financial infrastructures that aims to enhance the cyber resilience of the European Union’s (EU) financial sector. The strategy is based around three pillars: bank-level preparedness (Pillar 1), sector-wide preparedness (Pillar 2) and strategic collaboration (Pillar 3). The original strategy was updated in March 2024.

Various tools are used to implement the strategy, contributing to the specific objectives of each pillar and ensuring coherency. To assess entity-level preparedness, as outlined in Pillar 1, cyber resilience surveys are conducted, compliance with the ECB’s cyber resilience oversight expectationsOpens in new window is evaluated and the TIBER-EU framework is applied for red teaming testsOpens in new window (this takes the form of the TIBER-ES framework in Spain). To strengthen the second pillar (sectoral resilience), the interconnections within the ecosystem are analysed to identify critical third-party providers, alongside other considerations. In addition, international crisis simulations and sector-specific operational continuity exercises are used to encourage collaboration among global authorities. Lastly, the Euro Cyber Resilience Board for pan-European Financial InfrastructuresOpens in new window was established to foster the strategic dialogue envisaged in Pillar 3.

Additionally, on a regulatory level, there are various national and European provisions aimed at bolstering the financial sector’s cyber resilience. Key examples include the Regulation on oversight requirements for systemically important payment systems (SIPS regulation)Opens in new window and the Digital Operational Resilience ActOpens in new window (DORA), which covers financial institutions, central securities depositories and central counterparties, among others. At the Spanish level, Article 4 of Royal Decree-Law 8/2023Opens in new window extends the application of certain aspects of the DORA to the operators of payment systems and other key stakeholders in the payment ecosystem, conferring their supervision on the Banco de España.