EBA publishes final guidelines on major incident reporting under PSD2

The Guidelines set out:

  • the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State
  • the template that payment service providers are required to use for this notification and the reports they have to send during the lifecycle of the incident, including the time frame to do so
  •  a set of criteria that competent authorities have to use as primary indicators when assessing the relevance of a major operational or security incident to other domestic authorities in the context of the PSD2
  • the minimum information that competent authorities should share with these domestic authorities when an incident is considered of relevance for the latter