Payment Services Directive (PSD2)
Table of Contents
Chapter I – SUBJECT MATTER, SCOPE AND DEFINITIONS
Chapter II – PAYMENT SERVICE PROVIDERS
Chapter III – TRANSPARENCY OF CONDITIONS AND INFORMATION REQUIREMENTS FOR PAYMENT SERVICES
Chapter IV – RIGHTS AND OBLIGATIONS IN RELATION TO THE PROVISION AND USE OF PAYMENT SERVICES
Chapter V – DELEGATED ACTS AND REGULATORY TECHNICAL STANDARDS
Chapter VI – FINAL PROVISIONS
Recitals (113)
Annexes
Chapter IV – RIGHTS AND OBLIGATIONS IN RELATION TO THE PROVISION AND USE OF PAYMENT SERVICES
Article 95
Management of operational and security risks
1. Member States shall ensure that payment service providers establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.
The first subparagraph is without prejudice to the application of Chapter II of Digital Operational Resilience Act (DORA) to:
(a) payment service providers referred to in points (a), (b) and (d) of Article 1(1) of this Directive;
(b) account information service providers referred to in Article 33(1) of this Directive;
(c) payment institutions exempted pursuant to Article 32(1) of this Directive; and
(d) electronic money institutions benefitting from a waiver as referred to in Article 9(1) of Electronic Money Directive (EMD2).
2. Member States shall ensure that payment service providers provide to the competent authority on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.
3. By 13 July 2017, EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of European Banking Authority Regulation (EBA) with regard to the establishment, implementation and monitoring of the security measures, including certification processes where relevant.
EBA shall, in close cooperation with the ECB, review the guidelines referred to in the first subparagraph on a regular basis and in any event at least every 2 years.
4. Taking into account experience acquired in the application of the guidelines referred to in paragraph 3, EBA shall, where requested to do so by the Commission as appropriate, develop draft regulatory technical standards on the criteria and on the conditions for establishment, and monitoring, of security measures.
Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of European Banking Authority Regulation (EBA).
5. EBA shall promote cooperation, including the sharing of information, in the area of operational and security risks associated with payment services among the competent authorities, and between the competent authorities and the ECB and, where relevant, the European Union Agency for Network and Information Security.