The European Banking Authority has published its final guidelines on the management of information and communication technology and security risks by financial institutions in the EU. The Guidelines set out how financial institutions should comply with relevant provisions on the governance and risk management of ICT and security risks under the Fourth Capital Requirements Directive and the Second Payment Services Directive. The guidelines will become applicable as from June 30, 2020. They are addressed to credit institutions and investment firms, as well as competent authorities, as defined under the revised Capital Requirements Regulation, and to payment services providers and competent authorities as defined under PSD2. Upon their entry into force, they will replace the existing “Guidelines on security measures for operational and security risks of payment services” that were published in 2017 and addressed only to payment services providers.
The EBA expects the Guidelines to be implemented proportionately, taking into account the scale and complexity of institutions’ operations, the nature of the activities engaged in, and the ICT and security risks arising from the particular institution’s processes and services. The Guidelines include guidance on:
View the EBA's Guidelines.
[View source.]