Skip to content
Home / Function (NIST CSF 2.0) / GV - Govern / OC - Org. Context

EBA Guidelines on ICT and security risk management

This document focuses on:

The EBA Guidelines on ICT and Security Risk Management provide a comprehensive framework for credit institutions, investment firms, and payment service providers to identify, assess, and mitigate ICT and security risks. They emphasize strong governance, requiring institutions to integrate ICT risk management into their overall risk frameworks with clear roles and responsibilities, including board oversight. The guidelines mandate regular risk assessments, implementation of preventive and corrective controls, incident response plans, and robust information security measures covering confidentiality, integrity, and availability of data. They also address third-party risk management through due diligence and ongoing monitoring. Business continuity and disaster recovery planning are key components to ensure resilience against disruptions. The framework is designed to be continuously improved and aligned with evolving threats, with mandatory reporting and communication protocols to maintain operational stability and regulatory compliance. Recent updates have aligned these guidelines with the Digital Operational Resilience Act (DORA), narrowing their scope to entities covered by DORA and simplifying requirements to avoid duplication.


Publication's URL

https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-ict-and-security-risk-management

Additional documents on this topic



How would you rate this document ?

Click on a star to rate it!

What do you think of this document?

Your email address will not be published. Required fields are marked *