Cyber resilience refers to ‘the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents’. (Source: FSB Cyber Lexicon [Adapted from CERT Glossary (definition of ‘Operational resilience’), CPMI-IOSCO and NIST (definition of ‘Resilience’)].
The Eurosystem’s approach
Cyber risk is borderless, and the European Central Bank's (ECB) oversight approach aims to ensure that the financial ecosystem as a whole is resilient against cyber threats, in line with international initiatives in this field.
In March 2017, the Governing Council of the ECB approved the Eurosystem cyber resilience strategy for FMIs, aiming to put into practice the CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures.
In December 2018, the ECB published the Cyber Resilience Oversight Expectations (CROE) for financial market infrastructures, which define the Eurosystem’s expectations in terms of cyber resilience, based on existing global guidance (i.e., CPMI-IOSCO Guidance mentioned above).
In March 2024, the Governing Council of the ECB further strengthened its approach and approved the revised Eurosystem cyber resilience strategy to provide a consistent, holistic approach to addressing cyber risks. This revised strategy expands its scope to include entities overseen under the Eurosystem oversight framework for electronic payment instruments, schemes, and arrangements (PISA). Enhanced monitoring tools introduced in the strategy facilitate detailed tracking and continuous improvement across jurisdictions. Aligned with the Digital Operational Resilience Act (DORA), which will apply as of January 2025, the revised strategy aims to bolster the cyber resilience of the financial ecosystem by addressing evolving cyber threats and fostering sector-wide resilience and collaboration.
In line with the Eurosystem’s approach, the Central Bank of Cyprus (CBC) monitors the readiness of local financial market infrastructures (FMIs) with respect to cyber resilience.