EU GDPR sets strict data security standards, requiring organisations to protect personal data, and report breaches to the relevant authorities within 72 hours. GDPR compliance is enforceable as of 25 May 2018.

Fines have been expressly specified by the regulator for certain non-compliances to be 2% of global turnover or €10million, whilst for others 4% of global turnover or €20million, whichever is higher.

The sizable requirements mean that this will need to be a C-suite consideration and priority. The overall legislation includes, but is not limited to: elements of permissions for the exact uses of the data, transparency, encryption, storage, portability, deletion, client requests for information, vulnerability testing, penetration testing, security risk management, the requirement of an independent Data Protection Officer (compliance), a Cyber security team, the obligation to inform the regulator of a breach…

NIS, adopted in July 2016 by the European Union (EU) aims to create a high common level of network and information systems security across the EU in 3 ways:

1. Increasing cooperation on the matter of cyber security among EU member states.
2. Increasing cyber security capabilities at the national level for all EU member states.
3. Introducing security measures and incident reporting obligations for operators of essential services in critical national infrastructure and digital service providers (DSPs)

The “operators of essential services” referred to above include enterprises in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors.

For many financial services firms, there are overlaps in requirements of the NIS and the GDPR and such firms are subject to both sets of legislation and must report to each relevant authority separately.

Non-compliance with MiFID II can cost a firm penalties of up to €5million or 10% of annual turnover. MiFID II is the EU legislation that regulates firms who provide services to clients linked to ‘financial instruments’ (as defined by the legislation) and the venues where those instruments are traded. New financial instruments are being developed continuously that can stretch the rules that exist around trading, while the volume and variety of trades continues to go up all the time. MiFID II therefore tries to encompass all these developments. GCS’s security and risk management services are designed to help clients not only to exceed regulatory compliance but also be aligned with Company strategy.

Under MiFID II, both the industry regulators across Europe and the trading firms will be required to keep a complete and accurate list of all trades taking place. This data must also be protected. Existing services previously not regulated, now come under regulation with MiFID II, in particular:

1. Approved publication arrangements (APAs): entity providing the service of publishing trade reports on behalf of investment firms for the purpose of post-trade disclosure.

2. Approved reporting mechanisms (ARMs): entity providing the service of reporting details of transactions to competent authorities or; to ESMA on behalf of investment firms.

3. Consolidated tape providers (CTPs): entity providing the service of collecting post-trade information for financial instruments from trading venues (i.e. regulated markets, Multilateral Trading Facilities and Organized Trading Facilities) and APAs.

(Note that organized trading facilities were previously not under any specific regulation and now also fall under MiFID II).

MiFID II already requires a large amount of data to be held and communicated across different entities. If mishandled, this data could pose material risks along the regulatory chain and possibly close down your business. GCS is strategically placed and has comprehensive knowledge in all aspects of MiFID II and therefore is able to assist both EU and non-EU companies which fall under the scope of MiFID II.