EBA publishes guidelines on ICT and security risk management

28 November 2019

These Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) and security risks and aim to ensure a consistent and robust approach across the Single market. These Guidelines will enter into force on 30 June 2020.

The increasing digitalisation in the financial sector and the growing interconnectedness across financial institutions and third parties make financial institutions’ operations vulnerable to internal and external ICT and security risks that can potentially compromise their viability. As a result, sound ICT and security risk management are key for a financial institution to achieve its strategic, corporate, operational and reputational objectives.

These Guidelines set out expectations on how all financial institutions should manage internal and external ICT and security risks that they are exposed to. This guidance also provide the financial institutions with a better understanding of supervisory expectations for the management of the said risks, covering sound internal governance, information security requirements, ICT operations, project and change management and business continuity management.

The Guidelines also cover the management of PSPs’ relationship with payment service users (PSUs) to ensure that users are made aware of the security risks linked to the payment services, and are provided with the tools to disable specific payment functionalities and monitor payment transactions.

The Guidelines are addressed to credit institutions and investment firms as defined in the Capital Requirements Directive (CRD), for all of their activities, and to PSPs subject to the revised Payment Services Directive (PSD2), for their payment services.

Full press release on EBA

Full guidelines on EBA


© EBA