Crypto assets, particularly those that are decentralised and operate with limited or no formal governance structure, pose particular technological and operational risks. The specific application of Distributed ledger technology (DLT) that underpins most crypto-assets is still in its early stages and may be subject to technological flaws and limitations. As these technological limitations and network management issues arise, crypto-asset trading platforms may be, and in some cases have been, vulnerable to fraud, hacking and other cyber incidents. A number of trading platforms with inadequate security measures have collapsed following cyber incidents, resulting in real losses for investors. While some steps have been taken to establish a European supervisory and reporting mechanism, significant regulatory gaps remain at the European level.
First of all, financial markets are much more integrated compared to security policies, which remain mainly in the hands of individual Member States. Moreover, the framework is largely based on non-binding guidelines. As a result, there is still heterogeneity between Member States' legal systems and practises, as well as differences in Information and communication technologies (ICT) security among operational resilience requirements in EU financial services legislation. The problem is also relevant when considering market actors, in particular with regard to the lack of coherent supervision of third party activities for financial sector firms.
For example, economies of scale in mining can lead to the formation of concentrated mining pools that have significant control over a crypto asset. In other cases, there may be concentrated governance structures around network nodes or software standards. Decentralisation and lack of or inadequate governance make it difficult to address technological limitations or flaws and can lead to uncertainty. The cross-border nature of the policy problem at hand compounds the adverse effects of this lack of harmonisation.
Cyberattacks also have the potential to cause acute disruptions to financial systems and render some risk management and business continuity arrangements ineffective. As the IMF points out, attacks on payment systems could result in losses to consumers, cyber incidents could also lead to the failure of the entire infrastructure - causing disruptions to services and compromising the integrity of the system - or they could lead to a loss of confidence.
The absence of requirements or a multiplication of obligations to report the same incident to different authorities makes it difficult to ensure resilience in a rapidly evolving environment.
As highlighted by European Commission, this leads to incomplete oversight of security incidents, inconsistent reporting requirements, and reduced ability to assess and monitor risk.
Finally, as with crypto assets, the cyber threat landscape is highly dynamic and actors are constantly changing and evolving, requiring agile and flexible oversight.
The inconsistency of digital operational resilience testing frameworks at Member State level, with differences in scope, testing modalities and requirements or authorities involved, does not foster the emergence of such flexibility.
In fact, this discrepancy contributes to the fragmentation of the regulatory approach and additional costs, and makes European financial markets more vulnerable to cyber threats. As noted by European Commission in its first impact assessment, the lack of a common approach in this area could even lead to a segmentation of the internal market, undermining the EU's unified supervisory approach.