ECB Cyber Resilience Oversight Expectations for Financial Market Infrastructures
European Central Bank expectations for cyber resilience of euro area financial market infrastructures. 21 expectations across 3 pillars: governance (board oversight, risk appetite, cyber strategy), identification and protection (threat-led testing, situational awareness, learning and evolving), and detection and response (incident management, recovery, crisis communication). Builds on CPMI-IOSCO cyber resilience guidance with ECB-specific supervisory expectations.
AC (16) AT (5) AU (10) CA (7) CM (14) CP (11) IA (6) IR (9) MA (4) MP (6) PE (16) PL (4) PM (16) PS (9) PT (3) RA (8) SA (6) SC (17) SI (8) SR (6)
AC Access Control
| Control | Name | ECB CROE References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | CROE.2.3.1 |
| AC-02 | Account Management | CROE.2.3.1 |
| AC-03 | Access Enforcement | CROE.2.3.1 |
| AC-04 | Information Flow Enforcement | CROE.2.3.5 |
| AC-05 | Separation Of Duties | CROE.2.3.1 |
| AC-06 | Least Privilege | CROE.2.3.1 |
| AC-07 | Unsuccessful Login Attempts | CROE.2.3.1 |
| AC-09 | Previous Logon Notification | CROE.2.3.1 |
| AC-10 | Concurrent Session Control | CROE.2.3.1 |
| AC-11 | Session Lock | CROE.2.3.1 |
| AC-12 | Session Termination | CROE.2.3.1 |
| AC-17 | Remote Access | CROE.2.3.5 |
| AC-18 | Wireless Access Restrictions | CROE.2.3.5 |
| AC-19 | Access Control For Portable And Mobile Devices | CROE.2.3.5 |
| AC-20 | Use Of External Information Systems | CROE.2.2.3 |
| AC-24 | Access Control Decisions | CROE.2.3.1 |
AT Awareness and Training
| Control | Name | ECB CROE References |
|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | CROE.2.1.2CROE.2.3.2 |
| AT-02 | Security Awareness | CROE.2.1.2CROE.2.3.2CROE.2.8.2 |
| AT-03 | Security Training | CROE.2.1.2CROE.2.3.2CROE.2.8.2 |
| AT-04 | Security Training Records | CROE.2.3.2 |
| AT-06 | Training Feedback | CROE.2.1.2CROE.2.3.2CROE.2.8.1 |
AU Audit and Accountability
| Control | Name | ECB CROE References |
|---|---|---|
| AU-02 | Auditable Events | CROE.2.4 |
| AU-03 | Content Of Audit Records | CROE.2.4 |
| AU-04 | Audit Storage Capacity | CROE.2.4 |
| AU-05 | Response To Audit Processing Failures | CROE.2.4 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | CROE.2.4 |
| AU-07 | Audit Reduction And Report Generation | CROE.2.4 |
| AU-09 | Protection Of Audit Information | CROE.2.4 |
| AU-12 | Audit Record Generation | CROE.2.4 |
| AU-13 | Monitoring for Information Disclosure | CROE.2.4CROE.2.7.1 |
| AU-14 | Session Audit | CROE.2.4 |
CA Security Assessment and Authorization
| Control | Name | ECB CROE References |
|---|---|---|
| CA-02 | Security Assessments | CROE.2.2.1CROE.2.6.1CROE.2.8.1 |
| CA-03 | Information System Connections | CROE.2.2.3CROE.2.3.5 |
| CA-04 | Security Certification | CROE.2.6.1 |
| CA-05 | Plan Of Action And Milestones | CROE.2.8.1 |
| CA-06 | Security Accreditation | CROE.2.2.1 |
| CA-07 | Continuous Monitoring | CROE.2.2.1CROE.2.4CROE.2.8.1 |
| CA-08 | Penetration Testing | CROE.2.6.1CROE.2.6.2 |
CM Configuration Management
| Control | Name | ECB CROE References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | CROE.2.3.4 |
| CM-02 | Baseline Configuration | CROE.2.3.4 |
| CM-03 | Configuration Change Control | CROE.2.3.4 |
| CM-04 | Monitoring Configuration Changes | CROE.2.3.4 |
| CM-05 | Access Restrictions For Change | CROE.2.3.4 |
| CM-06 | Configuration Settings | CROE.2.3.4 |
| CM-07 | Least Functionality | CROE.2.3.4 |
| CM-08 | Information System Component Inventory | CROE.2.2.2 |
| CM-09 | Configuration Management Plan | CROE.2.3.4 |
| CM-10 | Software Usage Restrictions | CROE.2.3.4 |
| CM-11 | User-Installed Software | CROE.2.3.4 |
| CM-12 | Information Location | CROE.2.2.2 |
| CM-13 | Data Action Mapping | CROE.2.2.2 |
| CM-14 | Signed Components | CROE.2.3.4 |
CP Contingency Planning
| Control | Name | ECB CROE References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | CROE.2.5.2 |
| CP-02 | Contingency Plan | CROE.2.5.2CROE.2.5.3 |
| CP-03 | Contingency Training | CROE.2.5.2 |
| CP-04 | Contingency Plan Testing And Exercises | CROE.2.5.2CROE.2.6.1 |
| CP-06 | Alternate Storage Site | CROE.2.5.2 |
| CP-07 | Alternate Processing Site | CROE.2.5.2 |
| CP-08 | Telecommunications Services | CROE.2.5.2 |
| CP-09 | Information System Backup | CROE.2.5.2 |
| CP-10 | Information System Recovery And Reconstitution | CROE.2.5.2 |
| CP-12 | Safe Mode | CROE.2.5.2CROE.2.5.3 |
| CP-13 | Alternative Security Mechanisms | CROE.2.5.2 |
IA Identification and Authentication
| Control | Name | ECB CROE References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | CROE.2.3.1 |
| IA-02 | User Identification And Authentication | CROE.2.3.1 |
| IA-04 | Identifier Management | CROE.2.3.1 |
| IA-05 | Authenticator Management | CROE.2.3.1 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | CROE.2.3.1 |
| IA-12 | Identity Proofing | CROE.2.3.1 |
IR Incident Response
| Control | Name | ECB CROE References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | CROE.2.5.1 |
| IR-02 | Incident Response Training | CROE.2.5.1 |
| IR-03 | Incident Response Testing And Exercises | CROE.2.5.1CROE.2.6.1 |
| IR-04 | Incident Handling | CROE.2.4CROE.2.5.1CROE.2.8.1 |
| IR-05 | Incident Monitoring | CROE.2.5.1CROE.2.8.1 |
| IR-06 | Incident Reporting | CROE.2.5.1CROE.2.5.3CROE.2.7.2 |
| IR-07 | Incident Response Assistance | CROE.2.5.1CROE.2.5.3 |
| IR-08 | Incident Response Plan | CROE.2.5.1 |
| IR-09 | Information Spillage Response | CROE.2.5.1 |
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | ECB CROE References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | CROE.2.3.6 |
| PE-02 | Physical Access Authorizations | CROE.2.3.6 |
| PE-03 | Physical Access Control | CROE.2.3.6 |
| PE-04 | Access Control For Transmission Medium | CROE.2.3.6 |
| PE-05 | Access Control For Display Medium | CROE.2.3.6 |
| PE-06 | Monitoring Physical Access | CROE.2.3.6 |
| PE-08 | Access Records | CROE.2.3.6 |
| PE-09 | Power Equipment And Power Cabling | CROE.2.3.6 |
| PE-10 | Emergency Shutoff | CROE.2.3.6 |
| PE-11 | Emergency Power | CROE.2.3.6CROE.2.5.2 |
| PE-12 | Emergency Lighting | CROE.2.3.6 |
| PE-13 | Fire Protection | CROE.2.3.6 |
| PE-14 | Temperature And Humidity Controls | CROE.2.3.6 |
| PE-15 | Water Damage Protection | CROE.2.3.6 |
| PE-17 | Alternate Work Site | CROE.2.3.6CROE.2.5.2 |
| PE-18 | Location Of Information System Components | CROE.2.3.6 |
PL Planning
PM Program Management
| Control | Name | ECB CROE References |
|---|---|---|
| PM-01 | Information Security Program Plan | CROE.2.1.1 |
| PM-02 | Information Security Program Leadership Role | CROE.2.1.1CROE.2.1.2 |
| PM-03 | Information Security and Privacy Resources | CROE.2.1.1 |
| PM-04 | Plan of Action and Milestones Process | CROE.2.2.1CROE.2.8.1 |
| PM-05 | System Inventory | CROE.2.2.1CROE.2.2.2 |
| PM-08 | Critical Infrastructure Plan | CROE.2.2.3CROE.2.5.2CROE.2.5.3 |
| PM-09 | Risk Management Strategy | CROE.2.1.1CROE.2.2.1 |
| PM-11 | Mission and Business Process Definition | CROE.2.2.2CROE.2.2.3 |
| PM-12 | Insider Threat Program | CROE.2.5.1CROE.2.7.2 |
| PM-13 | Security and Privacy Workforce | CROE.2.1.1CROE.2.1.2 |
| PM-14 | Testing, Training, and Monitoring | CROE.2.1.2CROE.2.4CROE.2.6.1CROE.2.8.1 |
| PM-15 | Security and Privacy Groups and Associations | CROE.2.2.3CROE.2.5.3CROE.2.7.1CROE.2.7.2CROE.2.8.2 |
| PM-16 | Threat Awareness Program | CROE.2.4CROE.2.6.2CROE.2.7.1CROE.2.7.2CROE.2.8.2 |
| PM-28 | Risk Framing | CROE.2.1.1CROE.2.2.1 |
| PM-29 | Risk Management Program Leadership Roles | CROE.2.1.1CROE.2.1.2 |
| PM-31 | Continuous Monitoring Strategy | CROE.2.8.1CROE.2.8.2 |
PS Personnel Security
| Control | Name | ECB CROE References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | CROE.2.1.2CROE.2.3.2 |
| PS-02 | Position Categorization | CROE.2.1.2CROE.2.3.2 |
| PS-03 | Personnel Screening | CROE.2.1.2CROE.2.3.2 |
| PS-04 | Personnel Termination | CROE.2.3.2 |
| PS-05 | Personnel Transfer | CROE.2.3.2 |
| PS-06 | Access Agreements | CROE.2.1.2CROE.2.3.2 |
| PS-07 | Third-Party Personnel Security | CROE.2.3.2 |
| PS-08 | Personnel Sanctions | CROE.2.3.2 |
| PS-09 | Position Descriptions | CROE.2.1.2 |
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | ECB CROE References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | CROE.2.2.1 |
| RA-02 | Security Categorization | CROE.2.2.1CROE.2.2.2 |
| RA-03 | Risk Assessment | CROE.2.2.1CROE.2.7.1CROE.2.8.2 |
| RA-05 | Vulnerability Scanning | CROE.2.2.1CROE.2.4CROE.2.6.1CROE.2.6.2CROE.2.7.1 |
| RA-06 | Technical Surveillance Countermeasures Survey | CROE.2.6.1 |
| RA-07 | Risk Response | CROE.2.2.1CROE.2.8.1CROE.2.8.2 |
| RA-09 | Criticality Analysis | CROE.2.2.1CROE.2.2.2 |
| RA-10 | Threat Hunting | CROE.2.4CROE.2.6.2CROE.2.7.1 |
SA System and Services Acquisition
| Control | Name | ECB CROE References |
|---|---|---|
| SA-04 | Acquisitions | CROE.2.2.3 |
| SA-08 | Security Engineering Principles | CROE.2.3.4 |
| SA-09 | External Information System Services | CROE.2.2.2CROE.2.2.3 |
| SA-11 | Developer Security Testing | CROE.2.3.4CROE.2.6.1 |
| SA-15 | Development Process, Standards, and Tools | CROE.2.3.4CROE.2.6.1 |
| SA-22 | Unsupported System Components | CROE.2.3.4CROE.2.8.2 |
SC System and Communications Protection
| Control | Name | ECB CROE References |
|---|---|---|
| SC-02 | Application Partitioning | CROE.2.3.5 |
| SC-03 | Security Function Isolation | CROE.2.3.5 |
| SC-04 | Information Remnance | CROE.2.3.5 |
| SC-05 | Denial Of Service Protection | CROE.2.3.5CROE.2.4 |
| SC-07 | Boundary Protection | CROE.2.3.5CROE.2.4 |
| SC-08 | Transmission Integrity | CROE.2.3.3CROE.2.3.5 |
| SC-12 | Cryptographic Key Establishment And Management | CROE.2.3.3 |
| SC-13 | Use Of Cryptography | CROE.2.3.3 |
| SC-20 | Secure Name / Address Resolution Service (Authoritative Source) | CROE.2.3.5 |
| SC-21 | Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | CROE.2.3.5 |
| SC-22 | Architecture And Provisioning For Name / Address Resolution Service | CROE.2.3.5 |
| SC-24 | Fail in Known State | CROE.2.5.2 |
| SC-26 | Decoys | CROE.2.4CROE.2.6.2 |
| SC-28 | Protection of Information at Rest | CROE.2.2.2CROE.2.3.3 |
| SC-36 | Distributed Processing and Storage | CROE.2.5.2 |
| SC-39 | Process Isolation | CROE.2.3.5 |
| SC-44 | Detonation Chambers | CROE.2.3.5 |
SI System and Information Integrity
| Control | Name | ECB CROE References |
|---|---|---|
| SI-02 | Flaw Remediation | CROE.2.3.4CROE.2.8.1CROE.2.8.2 |
| SI-03 | Malicious Code Protection | CROE.2.3.4CROE.2.4 |
| SI-04 | Information System Monitoring Tools And Techniques | CROE.2.3.5CROE.2.4 |
| SI-05 | Security Alerts And Advisories | CROE.2.4CROE.2.5.1CROE.2.5.3CROE.2.7.1CROE.2.7.2CROE.2.8.2 |
| SI-06 | Security Functionality Verification | CROE.2.6.1 |
| SI-07 | Software And Information Integrity | CROE.2.3.3CROE.2.4 |
| SI-12 | Information Output Handling And Retention | CROE.2.3.3 |
| SI-16 | Memory Protection | CROE.2.3.4 |
SR Supply Chain Risk Management
| Control | Name | ECB CROE References |
|---|---|---|
| SR-01 | Policy and Procedures | CROE.2.2.3 |
| SR-02 | Supply Chain Risk Management Plan | CROE.2.2.3 |
| SR-03 | Supply Chain Controls and Processes | CROE.2.2.3 |
| SR-05 | Acquisition Strategies, Tools, and Methods | CROE.2.2.3 |
| SR-06 | Supplier Assessments and Reviews | CROE.2.2.3CROE.2.7.1 |
| SR-08 | Notification Agreements | CROE.2.7.1 |