On November 9th, 2023, the European Securities and Markets Authority’s (the “ESMA”) published an Announcement putting the cyber risk as a new Union Strategic Supervisory Priority (the “Announcement”).
Further to the Announcement, ESMA is changing its Union Strategic Supervisory Priorities (the “USSPs”) to focus on cyber risk and digital resilience alongside ESG disclosures. Pursuant to this priority, EU supervisors will put greater emphasis on reinforcing firms’ ICT risk management through close monitoring and supervisory actions, in order to keep pace with market and technological developments and closely monitor contagion effects of attacks and disruptions across markets and firms.
The new USSP will come into force in 2025 (same time as the Digital Operational Resilience Act – DORA), so as to provide supervisors and firms with sufficient time to prepare for compliance with the new regulatory requirements. Meanwhile, ESMA and national competent authorities (NCAs) will carry out preparatory work planning and shaping the supervisory activities to undertake under this priority.
In addition, ESMA and NCAs will continue to work on the second priority, i.e., ESG disclosures, in order to tackle greenwashing, increase investors’ understanding and embed sustainability requirements when firms advise investors. ESG disclosures will remain the focus in 2024 across key segments of the sustainable finance value chain, e.g., issuers, investment managers and investment firms.
Whilst the new USSP on cyber risk and digital resilience will replace the USSP on market data quality, it is noted by ESMA that the latter remains a primary duty of supervised entities. Thus, firms and their top management should take ownership of the data they report and increase its use also for internal purposes. EU supervisors will continue to undertake important supervisory work on data quality since it remains fundamental in building a data-driven supervisory approach, which is a key strategic objective under the ESMA Strategy.