Full name: Revised Payment Services Directive
Date of entry into force: January 12, 2016
Date that rules apply: January 13, 2018
A bird’s eye view: PSD2 establishes comprehensive rules for payment services, with the intent to improve the efficiency, ease, and security of international payments (within the EU). It is also designed to open the door to new entrants into the payment markets in an effort to generate more competition and provide greater choice and better prices to consumers. As well, the directive provides a legal basis for the Single Euro Payments Area.
Who must comply: EU Member States must incorporate the directive into their national laws by January 13, 2018. Participating payment services organizations will be required to comply with the directive.
Penalties for non-compliance: Per the Payment System Regulator (PSR) — an independent economic regulator in the UK — "The interpretation of what PSD2 requires and how parties comply with it are ultimately questions of European law for the national and EU courts. We cannot provide definitive interpretations."
Security awareness training requirement: Though the directive sets forth strict rules related to payment security, customer data protections, transparency, and user rights and obligations, there is no stipulation for end-user awareness training within this directive.
Levine’s take: "A significant component of PSD2 centers around trust. Consumers must trust established institutions and new players. Trust begins with good security, and good end-user security begins with awareness and training.
"Institutions will be relying on their employees to protect transactions and consumer data; the success or failure of employees to do those things well will have significant implications for payment service providers. If organizations are not confident in their end users’ knowledge of cybersecurity best practices, awareness and education programs should be implemented sooner rather than later."
Legislation summary, Revised Rules for Payment Services in the EU
Banking Technology, “Infographics: PSD2 Explained”
Payment Systems Regulator, “The PSR confirms how it will monitor and enforce new EU rules on access to payment systems”
Full name: Directive on Security of Network and Information systems
Date of entry into force: August 2016
Dates that rules apply: May 9, 2018 and November 9, 2018 (see details below)
A bird’s eye view: The NIS Directive is designed to raise the overall level of cybersecurity across the EU by establishing common standards for preparedness, cooperation, response, and security awareness. The directive is aimed at EU Member States as a whole as well as specific operators of essential services within those states.
Who must comply: EU Member States must incorporate the directive into national law by May 9, 2018, and identify operators of essential services by November 9, 2018. Organizations and entities established within the directive will be responsible for compliance.
Penalties for non-compliance: Member States (not the EU) are responsible for setting and penalties for non-compliance, though the directive does stipulate that the penalties be "effective, proportionate, and dissuasive."
Security awareness training requirement: The NIS Directive does set forth requirements for education, awareness, and training programs that relate to network and information security.
Levine’s take: "As part of the NIS Directive, organizations and entities are expected to establish and sustain cybersecurity training programs; document sharing of best practices; and work to elevate user behaviors in general. Awareness and education are — rightfully — deemed to serve an elemental role in the overall cybersecurity framework of critical infrastructure services and systems.
Though it’s true that, of the three pieces of legislation discussed here, only the NIS Directive specifically requires security awareness and training, compliance with all three will heavily rely on good end-user security."
European Commission, “State of the Union 2017: The Commission scales up its response to cyber-attacks”
Subscribe to the Proofpoint Blog