Major incidents reporting under PSD230 January, 2019
Directive 2015/2366, of the European Parliament and of the Council, of 25 November 2015, on payment services in the internal market (Payment Services Directive 2 or PSD2) establishes the obligation of payment service providers report to competent authorities (in this case, Bank of Portugal) when an operational or security incidents occurs, provided that those incidents are classified as severe.
The Decree-Law that transposed PSD2 for the national legal order (Decree-Law 91/2018, of 12 November) sets the obligation of payment service providers operating in Portugal to report those incidents to Bank of Portugal, which now prescribes the procedure and reporting model through which they should do so, through the publication of this Instruction 01/2019 (published in Boletim Oficial of Bank of Portugal of 01/15/2019).
The European Banking Authority (EBA) issued its Guidelines on major incident reporting under PSD2 (EBA/GL/2017/10), which set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home Member State. These guidelines entered into force on 01/13/2018 and the criteria set forth therein were reproduced in Instruction 01/2019.
Nuno Nogueira Pinto