EBA’s final guidelines on ICT and security risk management


EBA’s final guidelines on ICT and security risk management

2 December 2019

Regulatory News Alert

Context and objectives

In accordance with Capital Requirements Directive (CRD IV), the European Banking Authority (EBA) has been mandated to further harmonize financial institutions' governance arrangements, processes, and mechanisms across the EU. In order to fulfil this mandate and gather input from stakeholders, on 13 December 2018, EBA published a Consultation Paper (CP) based on the draft Guidelines on information and communication technology (ICT) and security risk management (Guidelines). The consultation closed on 13 March 2019.

Following the consultation period, on 28 November, EBA published the Final Report on the Guidelines (EBA/GL/2019/04) to establish requirements on the mitigation and management of ICT risks, according to CRD IV (Directive 2013/36/EU) and PSD2 (Directive 2015/2366/EU). The purpose of the Guidelines is to address ICT and security risks that have increased in recent years, due to the increasing digitalization of the financial sector and the increasing interconnectedness through telecommunications channels and with other financial institutions and third parties.

The Guidelines, which will enter into force on 30 June 2020, set out expectations on how all financial institutions should manage internal and external ICT and security risks that they are exposed to. This guidance provides the financial institutions with a better understanding of supervisory expectations for the management of the said risks, covering areas such as ICT governance and strategy, ICT risk management framework, information security, ICT operations management, ICT project and change management, and business continuity management. The guidelines are principle-based and flexible enough to facilitate their application to all the relevant institutions in the sector.

The scope of application of the Guidelines covers payment service providers for their payment services, credit institutions for all activities beyond their payment service, and investment firms for all activities.

Financial institutions must make every effort to comply with the provisions set out in such a way that is proportionate to, and takes account of, the financial institutions’ size, their internal organization, and the nature, scope, complexity, and riskiness of the services and products that the financial institutions provide or intend to provide. It is only by developing strong ICT risk management practices that financial institutions will be able to comply with these Guidelines.


Next steps

The Guidelines on security measures for operational and security risks under PSD2 (EBA GL/2017/17) issued in 2017 have been fully integrated into the EBA Guidelines on ICT and security risk management, and will be repealed once the latter becomes applicable, 30 June 2020.


How can Deloitte help you?

Deloitte can help organizations improve their ICT risk management practices’ maturity by assessing, designing, and implementing:

  • Strategy/program: ICT risk management strategy and roadmap to align with business goals and enterprise risk objectives, and to fill ICT risk management capability gaps (people, process, technology) 
  • Governance and operating model: ICT risk management operating model as well as roles and responsibilities across multiple lines of defense
  • ICT risk management capability enhancement: ICT risk management policies and standards, processes, tools, and technologies 
  • ICT risk reporting and culture: ICT, business, and Board ICT risk reporting

Deloitte can also help financial institutions to assess the readiness of an ICT on-site visit by a competent authority by simulating an on-site inspection.

Deloitte can also help navigate regulatory trends to identify which are relevant for your activities with the RegWatch Kaleidoscope service.

PDF - 138kb


Subject matter specialists

Stephane Hurtaud
Partner – Risk Advisory
Tel : +352 45145 4434

Roland Bastin
Partner – Risk Advisory
Tel : +352 45145 2213

Patrick Laurent
Partner – Technology Leader
Tel : +352 45145 4170

Irina Hedea
Partner – Information & Technology Risk
Tel : +352 45145 2944


Regulatory Watch Kaleidoscope service

Simon Ramos
Partner – IM Advisory & Consulting
Tel : +352 45145 2702

Jean-Philippe Peters
Partner – Risk Advisory
Tel : +352 45145 2276

Benoit Sauvage
Director – RegWatch, Strategy & Consulting
Tel : +352 45145 4220

Marijana Vuksic
Manager – Strategy, Regulatory & Corporate Finance
Tel : +352 45145 2311

Did you find this useful?