In January 2026, an attacker exploited the credentials of a French civil servant to access FICOBA—the Fichier national des comptes bancaires, France’s national registry of citizens’ banking records—resulting in unauthorized access to approximately 1.2 million records before detection. Shortly thereafter, another attacker claimed to have obtained personal and tax data for 47 million Spanish citizens from the Ministry of Finance’s internal databases, though the Spanish Ministry denied a direct breach.
These incidents highlight a structural gap in EU law. Directives such as the Fourth and Fifth Anti-Money Laundering Directives (AMLD4 and AMLD5) have mandated Member States to establish centralized, automated mechanisms for identifying individuals holding or controlling bank accounts and safe deposit boxes. Similarly, the Directive on Administrative Cooperation (DAC) and its amendments have extended mandatory information exchange to digital platform operators and crypto-asset service providers.
While these directives have effectively centralized vast amounts of sensitive financial data, they do not explicitly require that these registries adhere to specific cybersecurity standards. The Network and Information Systems Directive (NIS2) designates public administrations as “essential entities” subject to risk management and incident reporting obligations. However, as a directive, NIS2 requires transposition into national law, leading to potential inconsistencies in implementation across Member States. ([interoperable-europe.ec.europa.eu](https://interoperable-europe.ec.europa.eu/node/706126?utm_source=openai))
The General Data Protection Regulation (GDPR) imposes obligations on data controllers and processors to implement appropriate technical and organizational measures to ensure data security. However, GDPR’s broad scope and principles-based approach may not provide the specific guidance necessary for securing centralized financial registries. ([commission.europa.eu](https://commission.europa.eu/law/law-topic/data-protection/eu-data-protection-rules_en?utm_source=openai))
The Regulation on Digital Operational Resilience (DORA) aims to strengthen the financial sector’s ability to withstand ICT-related disruptions. While DORA focuses on financial entities, its applicability to government-operated financial registries remains ambiguous. ([finance.ec.europa.eu](https://finance.ec.europa.eu/digital-finance/cyber-resilience_en?utm_source=openai))
The European Data Protection Supervisor (EDPS) has issued guidelines on data protection in EU financial services regulation, emphasizing the need for robust security measures. However, these guidelines are not legally binding and may not be uniformly adopted across Member States. ([edps.europa.eu](https://www.edps.europa.eu/data-protection/our-work/publications/guidelines/guidelines-data-protection-eu-financial-services_en?utm_source=openai))
The recent cybersecurity incidents in France and Spain underscore the urgent need for a cohesive and enforceable EU-wide framework that mandates specific cybersecurity standards for centralized financial registries. Without such measures, the risk of unauthorized access to sensitive financial data remains a significant concern.