EBA consults on guidelines on ICT and security risk management

The European Banking Authority (EBA) today launched a consultation on its draft Guidelines on ICT and security risk management. These Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single market. The consultation runs until 13 March 2019.

Due to a growing reliance on ICT for their operational functioning, financial institutions are vulnerable to increased threats from internal and external attacks, including cyber-attacks, or breaches that may arise from inadequate business continuity planning for ICT systems and processes, or poor processes relating to ICT change management. These Guidelines aim to mitigate all ICT risks - internal or external-, including security related risks, for all financial institutions.

The Guidelines outline expectations in relation to governance, risk assessment process, information security requirements, ICT operational management, security in the change and development processes and business continuity management to mitigate ICT and security risks. Specifically for PSPs the Guidelines cover the management of their relationship with payment service users (PSUs) to ensure that the measures implemented are well communicated to them.

The Guidelines are addressed to credit institutions and investment firms as defined in the Capital Requirements Directive (CRD), for all of their activities, and to PSPs subject to the revised Payment Services Directive (PSD2), for their payment services.

Consultation process

Comments to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 13 March 2019.

A public hearing will take place at the EBA premises on 13 February 2019 from 14:00 to 16:00 UK time. All contributions received will be published following the end of the consultation, unless requested otherwise.

Legal basis, background and next steps

These Guidelines have been developed according to Article 74 of Directive 2013/36/EU, which mandates the EBA to further harmonise institutions' governance arrangements, processes and mechanisms across the EU,  and Article 95 (3) of Directive 2015/2366, which mandates the EBA to issue guidelines with regard to the establishment, implementation and monitoring of security measures for operational and security risks, and Article 16 of Regulation (EU) No 1093/2010.

These Guidelines respond to the European Commission's FinTech Action plan request for the EBA to develop guidelines on ICT risk management and mitigation requirements in the EU financial sector.

The Guidelines on security measures for operational and security risks (EBA GL/2017/17) have been fully integrated in the EBA Guidelines on ICT and security risk management and will be repealed when the latter enter into force.