Last week (28 November 2019), the European Banking Authority (EBA) released the final version of its report entitled ‘EBA Guidelines on ICT and security risk management’ (the Guidelines) (link here) on the mitigation and management of financial institutions’ (FIs) information and communication technology (ICT) and security risks. We highlight below some of the key takeaways.
The EBA released a previous version of the guidelines back in 2017. The Guidelines will incorporate and repeal the 2017 guidelines once the Guidelines come into force on 30 June 2020. The Guidelines are also intended to be read alongside the guidelines on outsourcing that came into force at the end of September 2019.
The Guidelines aim to harmonise requirements for ICT and security risk management.
Their scope will cover:
- Credit institutions and investment firms (as defined in the EU Capital Requirements Directive) for all of their activities
- Payment service providers (subject to the revised Payment Services Directive) for their payment services