On 28 December 2019, the European Banking Authority (EBA) published Guidelines on ICT and security risk management under Directive (EU) 2015/2366. These Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) and security risks and aim to ensure a consistent and robust approach across the Single market. These Guidelines have built on and replaced those on security measures for operational and security risks (EBA GL/2017/17), which have now been repealed.
In accordance with Article 16(3) of Regulation (EU) No 1094/2010, competent authorities and financial institutions must make every effort to comply with guidelines. The Central Bank complies with the Guidelines and has incorporated them into its ongoing supervisory practices and processes for PSPs. Firms are expected to comply with the Guidelines. The Guidelines are effective from 30 June 2020.
A link to the Guidelines can be found on the Central Bank’s website here.