EBA publishes guidelines on ICT and security risk management

The European Banking Authority (EBA) published final guidelines on ICT and security risk management. The guidelines enter into force on June 30, 2020 and are addressed to credit institutions and investment firms as defined in the Capital Requirements Directive (CRD), for all of their activities, and to Payment Service Providers (PSPs) subject to the revised Payment Services Directive (PSD2), for their payment services. The new requirements are focused on the mitigation and management of ICT and security risks, and aims to ensure a consistent approach across the Single market.

Digitalisation is increasing in the financial sector, as well as the interconnectedness across financial institutions and third parties. The interconnectedness with third parties makes financial institutions more vulnerable for internal and external ICT and security risks which can compromise their viability. This is why sound ICT and security risk management are required.