The European Banking Authority has published its final guidelines on the management of information and communication technology and security risks by financial institutions in the EU. The Guidelines set out how financial institutions should comply with relevant provisions on the governance and risk management of ICT and security risks under the Fourth Capital Requirements Directive and the Second Payment Services Directive. The guidelines will become applicable as from June 30, 2020. They are addressed to credit institutions and investment firms, as well as competent authorities, as defined under the revised Capital Requirements Regulation, and to payment services providers and competent authorities as defined under PSD2. Upon their entry into force, they will replace the existing “Guidelines on security measures for operational and security risks of payment services” that were published in 2017 and addressed only to payment services providers.

The EBA expects the Guidelines to be implemented proportionately, taking into account the scale and complexity of institutions’ operations, the nature of the activities engaged in, and the ICT and security risks arising from the particular institution’s processes and services. The Guidelines include guidance on: 

  • Governance and strategy – management bodies should ensure internal governance and control frameworks are in place to manage ICT and security risks in their institutions and should develop appropriate ICT strategies;
  • ICT and security risk management frameworks – processes should be established to identify and analyse ICT and security risks and responsibility for overseeing such risks should be assigned to a control function;
  • Information security – an information security policy should be developed to protect financial institutions’ and customers’ data and ongoing reviews should be undertaken to assess vulnerabilities in ICT systems and services;
  • ICT operations management – ICT operations should be managed by reference to documented processes and procedures, including incident and problem management processes;
  • ICT project and change management and business continuity management - institutions should support the implementation of ICT strategies through programs that define the roles and responsibilities of those involved in implementation and should establish business constitution management processes to ensure services are provided on an ongoing basis; and
  • Payment service user relationship management – PSPs should provide assistance and guidance to ensure payment service users are aware of the security risks linked to payment services.

View the EBA's Guidelines.