Bank of Albania drafts new regulation on cybersecurity

2025-12-04 07:31:33, Ekonomi CNA

The Bank of Albania has prepared a draft regulation "On digital operational sustainability", which aims to define unified requirements regarding the security of the network and information systems that support the activities of financial entities.

Subjects of the regulation will be banks, all non-bank financial institutions for lending, electronic money and payments, but also issuers of asset tokens, according to the provisions of the legislation on crypto-asset markets and third-party information and communication technology (ICT) service providers.

The draft regulation requires financial entities to establish an internal governance and control system that ensures effective and prudent management of all ICT risks.

The draft BSS requires financial entities to establish a sound, comprehensive and well-documented ICT risk management system, as part of the entity's overall risk management system, which enables them to manage ICT risk in a prompt, efficient and comprehensive manner, as well as ensuring a high level of digital operational resilience.

This system must include the necessary strategies, policies, procedures, ICT protocols and mechanisms to appropriately and effectively protect all information assets and ICT assets, including computer programs and equipment, servers, as well as to protect all relevant physical components and infrastructures, such as: premises, data centers and designated sensitive areas, to ensure that all information assets and ICT assets are adequately protected from risks, including damage and unauthorized access or use.

Financial entities must ensure appropriate separation and independence between ICT management functions, control functions and internal control functions, according to the three lines of defense model.

Financial entities, in order to address and manage ICT risk, use and maintain up-to-date ICT systems, protocols and mechanisms, which are appropriate to the size of the operations that support the development of their activity, which are reliable and which have sufficient capacity to accurately process the data necessary for the performance of activities and the provision of services in a timely manner, and to deal with orders, messages or transaction volumes during peak times, as necessary, including cases of the introduction of new technologies.

Also, systems must be technologically flexible, to appropriately cope with additional information processing needs, as required under stressed market conditions or other adverse situations.

For the purposes of adequately protecting ICT systems and organizing response measures, financial entities must continuously monitor and control the security and functioning of ICT systems and mechanisms.

Financial entities must use ICT technology (solutions) and processes that guarantee the security of information transfer means; minimize the risk of data corruption or loss, unauthorized access and technical defects that may hinder business activity; prevent lack of availability, damage to authenticity and integrity, confidentiality breaches and data loss; ensure that data is protected from risks associated with information management, including poor management, risks associated with data processing and human errors.

The new regulation is expected to enter into force on July 1, 2027, but from the moment of its adoption, financial institutions that are subject to this regulation must begin taking measures to meet the requirements of the regulation and report to the Bank of Albania every 3 months./ Monitor.al