This article zeroes in on Article 13 and Article 14, dissecting their implications and guiding your compliance journey.

Article 13: Communication – A Necessity, Not an Option

Importance of Communication Plans

Article 13 mandates that financial entities should have a communication plan as a part of their ICT risk management framework. This plan is not just an internal affair; it should enable responsible disclosure of ICT-related incidents or significant vulnerabilities to clients, counterparts, and the public as appropriate.

Communication Policies for Staff and Stakeholders

Additionally, Article 13 emphasizes the need for distinct communication policies for staff and external stakeholders. These policies should differentiate between personnel directly involved in ICT risk management, particularly in response and recovery, and those who simply need to be informed.

Designating a Spokesperson

Every financial entity must designate at least one individual to implement the communication strategy for ICT-related incidents. This person will serve as the spokesperson for public and media interactions, adding a human element to an otherwise technical issue.

Article 14: Further Harmonization of ICT Risk Management Tools

Article 14 is a pivotal regulation for bringing together all European regulatory bodies like the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) in consultation with the European Union Agency for Cybersecurity (ENISA).

Key Elements for Harmonization

This section discusses specifying further elements that should be included in ICT security policies, focusing on:

  • Security of networks
  • Safeguards against intrusions
  • Data authenticity and integrity
  • Accurate and prompt data transmission

Final Considerations

The alignment of ICT risk management tools and methods across the European financial sector is not just about compliance; it’s about building a resilient, harmonious ecosystem that can withstand the complex challenges of today’s digital world. Article 13 and 14 serve as critical building blocks in the establishment of such an ecosystem, and compliance with these articles is non-negotiable for financial entities operating within the EU.

Key Takeaways

  • Article 13 focuses on effective communication during ICT-related incidents and mandates policies for staff and external stakeholders.
  • Article 14 aims for a harmonized approach towards ICT risk management, involving major regulatory bodies.

Understanding and implementing these articles should be a priority for EU financial entities, given their significance in operational resilience and public trust.


By keeping these articles in perspective, financial entities can better prepare for regulatory expectations and build a resilient operational framework.