Article

EIOPA Guidelines on Information and Communication Technology Security and Governance

Key insights and self-assessment checklist

On 12 October 2020, the European Insurance and Occupational Pensions Authority (EIOPA) issued its Guidelines on Information and Communication Technology Security and Governance (“the Guidelines”) in accordance with Article 16 of Regulation (EU) No 1094/20104 harmonizing the European Commission's FinTech Action Plan (COM/2018/0109 final) and EIOPA’s Supervisory Convergence Plan 2018–2019.

The Guidelines provide guidance on the sound information and communication technology (ICT) governance and security practices that insurance and reinsurance undertakings should implement to mitigate their technological risks appropriately.

The EIOPA Guidelines cover 25 topics, each containing a set of specific requirements. The self-assessment checklist provided in the article summarizes those 25 topics, allowing to determine the readiness level of ICT security and governance management processes and to identify any potential gaps before the Guidelines come into force.

The Guidelines encompass seven main areas:

PDF - 720kb

Governance and strategy

Establish governance to effectively support the ICT strategy

ICT and security risk management

Ensure ICT and security risks are identified and addressed appropriately

ICT operations management

Implement efficient and controlled ICT operations processes

Information security

Protect the confidentiality, integrity and availability of customer and business data

ICT project and change management

Manage projects and changes effectively to meet business and security objectives

Business continuity management

Maintain the business function under unforeseen circumstances

Outsourcing

Protect outsourced IT services appropriately

The Guidelines represent a key step for the insurance sector to align with the European Commission’s aim to improve and harmonize the digital operational resilience of the EU’s financial services (as envisioned by the legislative proposal for a Digital Operational Resilience Act).

Contacts

Roland Bastin

Partner | Risk Advisory & Forensic

rbastin@deloitte.lu

+352 45145 2213

Roland is a partner within the advisory and consulting department and joined the Risk Advisory practice of Deloitte in 2001. He is responsible for IT audit, IT security, IT regulatory compliance, Data... More

Michael Cravatte

Partner | Insurance Leader

mcravatte@deloitte.lu

+352 45145 4758

Michaël is the Insurance and the Enterprise Application lead for Deloitte Luxembourg. His experience includes Insurance strategy & operations, Cross-Border distribution, Finance transformation, SAP, S... More

Irina Hedea

Partner | Information & Technology Risk

ighedea@deloitte.lu

+352 45145 2944

Irina is a Partner in Risk Advisory services, with more than 15 years’ experience in IT risk, IT Regulatory and Outsourcing, Information Security Management, digital trust services and project managem... More

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Viewing offline content

Audit & Assurance

Consulting

Tax

Financial Advisory

Risk Advisory

Deloitte Private

Corporate and Accounting

Innovation

Sustainability

International markets

Legal

Consumer

Energy, Resources & Industrials

Financial Services

Government & Public Services

Life Sciences & Health Care

Technology, Media & Telecommunications

Job Search

Your Career at Deloitte Luxembourg

Luxembourg Deloitte Alumni

EIOPA Guidelines on Information and Communication Technology Security and Governance