European Banking Authority has published guidelines on ICT and security risk management (the Guidelines) addressed to financial institutions – credit institutions, payment service providers, and investment firms.

The Guidelines set out how financial institutions should manage the ICT and security risks, and aim to provide a better understanding of supervisory expectations relating to:

  • internal governance and internal control framework;
  • assessment of operational risks;
  • information security requirements to the extent that the information is held on ICT systems;
  • ICT project and change management, as well as business continuity management to mitigate ICT and security risks.

The Guidelines also deal with the management of the relationship between the payment service provider and users, including, disclosure of the security risks related to the payment services. The Guidelines will enter into force on 30 June 2020.

The full text of the guidelines is available here: