EIOPA Guidelines on Information and Communication Technology Security and Governance


EIOPA Guidelines on Information and Communication Technology Security and Governance

Key insights and self-assessment checklist

On 12 October 2020, the European Insurance and Occupational Pensions Authority (EIOPA) issued its Guidelines on Information and Communication Technology Security and Governance (“the Guidelines”) in accordance with Article 16 of Regulation (EU) No 1094/20104 harmonizing the European Commission's FinTech Action Plan (COM/2018/0109 final) and EIOPA’s Supervisory Convergence Plan 2018–2019.

The Guidelines provide guidance on the sound information and communication technology (ICT) governance and security practices that insurance and reinsurance undertakings should implement to mitigate their technological risks appropriately.

The EIOPA Guidelines cover 25 topics, each containing a set of specific requirements. The self-assessment checklist provided in the article summarizes those 25 topics, allowing to determine the readiness level of ICT security and governance management processes and to identify any potential gaps before the Guidelines come into force.

The Guidelines encompass seven main areas:

PDF - 720kb

Governance and strategy

Establish governance to effectively support the ICT strategy

ICT and security risk management

Ensure ICT and security risks are identified and addressed appropriately

ICT operations management

Implement efficient and controlled ICT operations processes

Information security

Protect the confidentiality, integrity and availability of customer and business data

ICT project and change management

Manage projects and changes effectively to meet business and security objectives

Business continuity management

Maintain the business function under unforeseen circumstances


Protect outsourced IT services appropriately

The Guidelines represent a key step for the insurance sector to align with the European Commission’s aim to improve and harmonize the digital operational resilience of the EU’s financial services (as envisioned by the legislative proposal for a Digital Operational Resilience Act).


Roland Bastin
Partner – Risk Advisory
+352 451 452 213

Michael Cravatte
Partner – Banking & Insurance
+352 451 454 758

Irina Gabriela Hedea
Partner – Risk Advisory
+352 451 452 944

Stéphane Hurtaud
Partner – Risk Advisory
+352 451 454 434

Herve Marchand
Partner – Banking & Insurance
+352 451 452 292

Alexandre Heluin
Director – Risk Advisory
+352 451 454 030

Onur Ozdemir
Director – Risk Advisory
+352 451 452 207

Frederic de Pauw
Senior Manager – Risk Advisory
+352 451 454 383

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?