In recent years, the EU has focused on cybersecurity through the creation and coordination of new regulations and directives. Their aim is to increase cybersecurity capabilities and cooperation across organisations and countries and introduce a set of standards that each EU member state will need to apply to securely trade within the Digital Single Market, through cross-border trusted authentication.
This blog will review the whole regulatory framework and summarise some of the key cybersecurity regulations that are affecting institutions and organizations, specifically in the EU financial industry. Who exactly needs to be aware of these regulations? Any player in the sectors of investment, accounting, insurance, banking, online payments, FinTech or any entity that needs to process credit card data for citizens in the EU.
The increased stringency around data protection and integrity required by the European Commission aims at improving data sharing and digital communication across borders in the EU so fewer businesses are impacted by data breaches and cyber attacks. In return card holder data stays safe and secure. In effect, both the business and the consumer are benefiting from these regulations.
For today’s cybersecurity and IT departments, compliance with these regulations is critical. The best way to get started is a clear analysis of the current regulatory landscape and understanding of what standards apply to your business, as well as the timelines for adoption.
Let’s take a quick look at some of the main directives that should be on your radar.
Electronic Identification, Authentication and Trust Services (eIDAS)
Aimed at all organisations delivering public digital services in an EU member state, eIDAS was established in EU Regulation 910/2014 in July of 2014 and sets a standard for electronic identification and trust services in the European Single Market. It went into effect in July of 2016.
Key themes include:
- Interoperability – Member states are required to create a common framework for recognizing eIDs from other member states. This ensures authenticity and security, especially when conducting business across borders.
- Transparency – eIDAS provides a clear and accessible list of trust services that may be used within the centralised signing framework. This allows security stakeholders to engage in dialogue about best technologies and tools for cybersecurity.
There are a total of nine trust services that come under the eIDAS Certification Scheme:
1. The provision of qualified certificate for electronic signature;
2. The provision of qualified certificate for electronic seal;
3. The provision of qualified certificate for website authentication;
4. Qualified validation service for qualified electronic signatures;
5. Qualified validation service for qualified electronic seals;
6. Qualified preservation service for qualified electronic signatures;
7. Qualified preservation service for qualified electronic seals;
8. Qualified electronic time stamp service and
9. Qualified electronic registered delivery service.
To become a qualified trust service provider (QTSP) under eIDAS (like GlobalSign is!) an organisation must undergo specific audits and meet a set of criteria. All of the qualified certificates sold under eIDAS must also be provided on a qualified signature creation device (QSCD) which itself would be audited to ensure it meets the following requirements:
- The generated signature creation data is managed by a qualified trust service provider (QTSP).
- Only the signatory has control over their private key.
- The signature creation data is unique, confidential and protected from forgery.
You can download our free eIDAS Guide for a more detailed explanation on the eIDAS regulation.
Payment Services II Directive (PSD2) and Regulatory Technical Standards for Secure Customer Authentication (RTS SCA)
This regulation is aimed at credit, payment, and e-money institutions.
On 23rd December 2015, the Directive 2015/2366 on payment services (PSD2) was published in the Official Journal of the EU. PSD2 replaces PSD, in place since 2007. The goal of PSD2 is to foster innovation and competition in the financial services industry and introduce higher security standards for online payments.
Key themes include:
- Creating a secure interface to allow third-party providers to access payment account information of the bank's client
- Ensuring compliance with the new client authentication rules
- Supporting third-party providers to use the new access-to-accounts API (XS2A) interface before Q2-Q3 2019
Within the Regulatory Technical Standards (RTS), there is a focus on common and secure communication (CSC) between all parties involved. All transactions between payment service providers and financial institutions must take place over secured channels and ensure authenticity and integrity of the data.
The regulation also discusses what constitutes strong customer authentication (SCA), including the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials.
In March of 2019, PSD2 was updated to include information for Account Servicing Payment Service Providers (ASPSPs), who will need to make the technical specifications of their access interfaces (whether dedicated or user-facing) available to third-party providers and also provide them with a testing facility to carry out secure trials of software and other user-facing applications.
To facilitate this, the EU Commission proposed the creation of an Application Programming Interface Evaluation Group (API EG) to create and evaluate standardised API specifications.
Looking for a printable and shareable PSD2 reference? Download our free e-Guide.
The Directive on Security of Network and Information Systems (NIS Directive)
This directive applies to companies in the following sectors:
- banking (credit institutions)
- financial market infrastructures
- digital infrastructure
In July of 2016, Directive (EU) 2016/1148 of the European Parliament and of the Council was published, proposing requirements for a high common level of security of network and information systems across the European Union.
The EU Directive on Security of Network and Information Systems (NIS Directive) sets out the security requirements and incident notification rules for digital service providers and operators of essential services across EU member states. Member states had until May 2018 to translate it into national law. The UK government issued a public consultation document in August of 2017, which sets out the government’s proposed approach to implementing the directive, and provides clarity on what is expected of operators of essential services and digital service providers.
Key themes include:
- adoption of a national strategy on the security of network and information systems
- designation of “one or more National Competent Authorities” to oversee implementation and compliance with the directive’s provisions
- designation of a “single point of contact” to act as a liaison point with other Member States
- creating one or more computer security incident response teams (CSIRTs)
This directive affects B2B organizations and Accounts Payable departments within a broad range of industries.
It is designed to reduce the complexity and legal uncertainty around eInvoicing and provide some protections around invoices that are delivered electronically, thus opening the door to cyber fraud and other serious cyber risks.
The need to guarantee "authenticity of origin" (i.e., the identity of the invoice issuer) and "integrity of content" (i.e., the content of the invoice has not been changed from the moment of issuance) for e-invoices was established in EU Directive 2006/112/EC on Value Added Tax (VAT). All VAT registered entities must meet this requirement in order to maintain compliance.
The "VAT Directive" specifies advanced electronic signatures as one method for doing this.
The most recent updates to the eInvoicing Directive leverage the provisions established in the VAT Directive, including the ability to use advanced electronic signatures to guarantee invoice authenticity and integrity, and specifies all senders of electronic invoices, not just VAT entities, must be able to guarantee this.
Advanced electronic signatures guarantee authenticity of origin and integrity of content by:
- Uniquely identifying the sender of the invoice
- Creating a tamper-evident seal on the invoice contents, such that any changes made to the document after it was signed will be detectable
Download our eInvoicing eBook for more information on the key benefits of the eInvoicing directive and how it works.
Integrity, Confidentiality, Non-Repudiation: Financial Services Fundamentals
These are three buzzwords that encompass the regulations we covered in the blog post above. As the EU works to create a new infrastructure to support financial institutions by creating greater transparency and stronger cybersecurity, the end result will be improved data protection and economic stability.
But how do you prove your data is accurate, keep it out of the prying eyes of an unwanted third-party, or keep it from being altered in anyway?
Public Key Infrastructure (PKI) is the answer. The use of digital certificates allow you to encrypt and sign documents, emails, and data.
We should be able to say that highly sensitive financial data has:
- Integrity – it cannot be altered by an unwanted third-party
- Confidentiality – it cannot be seen by an unwanted third-party
- Non-repudiation – it cannot be falsified by a third-party
Digital certificates can provide all of the above. Whether you’re a FinTech, payment provider, comparison service or bank, cybersecurity will be a top concern when sharing and exchanging data. It’s great providing a service that consumers need and want but if you can’t do this securely, you’re harming more than helping.
In order to align ourselves to the current EU regulatory landscape and the Open Banking framework, GlobalSign has the solutions and accreditation to help you with nearly all EU security regulations. We are considered an official Trust Service Provider under eIDAS and also PSD2, which means that we can provide Qualified Certificates For Electronic Signatures, Qualified Certificates For Electronic Seals, and QWACs and QSealCs for PSD2.
All this alongside our existing PKI managed services that were developed to meet a broad range of use cases and scenarios including email security and mobile authentication, to name just two.
If you’d like to find out more on how these regulations apply to you and what steps you can take to achieve compliance, our experts at GlobalSign are happy to help.