ECB CROE — Cyber Resilience Oversight Expectations for Financial Market Infrastructures

Overview

ECB CROE — Cyber Resilience Oversight Expectations for Financial Market Infrastructures is a supervisory framework that establishes cybersecurity expectations for financial market infrastructures (FMIs) operating in the European Union. The framework defines principles and expectations for cyber resilience to protect critical financial systems and maintain the stability of EU financial markets.

Published by the European Central Bank (ECB), the CROE applies to FMIs including central counterparties, central securities depositories, and payment systems under ECB oversight. It covers governance, identification, protection, detection, response, recovery, and testing — aligned with international standards such as CPMI-IOSCO guidance.

FMIs implement CROE by developing cyber resilience strategies, conducting risk assessments, establishing incident response plans, and undergoing regular cyber resilience testing. The framework supports broader regulatory compliance and is increasingly referenced alongside DORA requirements for EU financial sector entities.

Why it Matters

ECB CROE establishes mandatory cybersecurity expectations for EU financial market infrastructures that underpin the stability of European financial markets.

Key benefits include:

• Strengthen systemic cyber resilience

Establish robust cybersecurity practices protecting critical infrastructure that supports settlement, clearing, and payment across EU markets.

• Enhance regulatory alignment

Meet ECB supervisory expectations and align with CPMI-IOSCO guidance, DORA, and other EU cybersecurity regulatory requirements.

• Improve incident response capability

Develop structured response and recovery processes to minimize the impact of cyber incidents on market operations.

• Increase testing and assurance maturity

Demonstrate cyber resilience through regular threat-led penetration testing and scenario-based exercises.

• Promote governance and accountability

Establish board-level ownership and systematic oversight of cyber resilience across FMI operations and third-party relationships.

How it Works

ECB CROE structures cyber resilience around seven components: governance, identification, protection, detection, response and recovery, testing, and situational awareness. Each component defines specific expectations that FMIs must address in their cyber resilience programs. The framework emphasizes proportionality, requiring stronger controls for FMIs with greater systemic importance.

FMIs implement CROE through cyber resilience strategies endorsed by the board, comprehensive risk identification exercises, deployment of protective controls, and robust detection and response capabilities. Regular TLPT (Threat-Led Penetration Testing) exercises verify resilience effectiveness and inform continuous improvement.

Within SmartSuite, organizations track CROE component implementation, manage cyber resilience testing schedules, document incident response procedures, and maintain evidence for ECB supervisory reviews through integrated governance and compliance workflows.

Key Elements

• Governance and Accountability Structure

Establishes board-level responsibility and management oversight for cyber resilience across FMI operations.

• Identification and Risk Assessment

Defines processes for identifying critical systems, assets, and cyber risks affecting financial market operations.

• Protection Mechanisms

Specifies controls safeguarding FMI systems and data from unauthorized access, disruption, and compromise.

• Detection Capabilities

Outlines monitoring and detection processes to identify cyber incidents affecting FMI infrastructure.

• Response and Recovery Framework

Establishes structured processes for managing cyber incidents and restoring critical FMI services.

• Testing and Validation Activities

Requires regular cyber resilience testing including TLPT to verify effectiveness of implemented controls.

Framework Scope

ECB CROE applies to financial market infrastructures under ECB oversight including central counterparties, central securities depositories, and systemically important payment systems operating in the European Union.

Framework Objectives

ECB CROE establishes cyber resilience expectations to protect EU financial market infrastructure and maintain systemic financial stability.

• Establish governance and board-level accountability for cyber resilience
• Identify and protect critical assets supporting EU financial market operations
• Implement robust detection, response, and recovery capabilities
• Conduct regular testing including threat-led penetration testing
• Maintain situational awareness and share threat intelligence
• Align with CPMI-IOSCO guidance and EU regulatory requirements

ECB CROE aligns with CPMI-IOSCO Guidance on Cyber Resilience, ISO/IEC 27001, and the NIST Cybersecurity Framework. FMIs implement it to meet ECB supervisory expectations, align with DORA requirements, and demonstrate robust cyber resilience protecting systemic financial infrastructure.

Common Framework Mappings

Organizations map ECB CROE to complementary cybersecurity and operational resilience frameworks to align FMI-specific controls with broader enterprise security programs and regulatory requirements.

Mapped frameworks include:

CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures

Digital Operational Resilience Act (DORA)

ISO/IEC 27001

ISO/IEC 27002

NIST Cybersecurity Framework

NIST SP 800-53

TIBER-EU

UK CBEST