Skip to main content

The European Banking Authority (EBA) published guidelines on ICT and security risk management. These guidelines set out a comprehensive approach to protecting businesses against cyber threats. This blog post will discuss the various aspects of the guidelines and provide practical advice on how to apply them.

The Scope of the Guidelines

The scope of the European Banking Authority (EBA) guidelines on ICT and security risk management is to provide a framework for banks and other financial institutions to effectively manage the risks associated with their use of ICT and ensure the security of their systems and networks.

The guidelines cover a wide range of areas, including:

Risk assessment

The guidelines provide recommendations on how to conduct a thorough risk assessment of an organization’s ICT systems and networks, identify potential vulnerabilities and threats, and implement appropriate measures to mitigate those risks.

Incident management

The guidelines outline procedures for reporting and managing security incidents, including the roles and responsibilities of different stakeholders and steps to minimize the impact of the incident on the organization and its customers.

Business continuity planning (BCP)

The guidelines recommend that financial institutions have a plan in place to ensure that critical services can be maintained in the event of an incident, such as a cyber attack, power failure or other disruptions.

Vendor management

The guidelines provide recommendations on how to evaluate and manage the risks associated with relationships with external vendors and third parties and ensure that necessary security controls are in place


The guidelines also offer a framework to comply with the relevant regulations such as GDPR and PSD2.

They also provide guidance on how to ensure secure IT systems, secure data and secure operations.

Key Requirements

The guidelines include a number of key requirements, such as the need to identify, assess, monitor, and manage risks; the need to have an ICT strategy; and the need to develop a data protection strategy.

Additionally, the guidelines state that businesses should adopt a risk-based approach to security, including measures for authentication and encryption, and should have a robust incident response plan.

Practical Advice

When implementing the guidelines, businesses should ensure that all of their staff are aware of the guidelines and their responsibilities. It is also important to ensure that all of the required measures are in place, including security policies, authentication measures, and incident response plans.

Furthermore, businesses should conduct regular risk assessments and reviews to ensure that their security measures are effective and up-to-date.

The EBA’s guidelines on ICT and security risk management provide a comprehensive approach to protecting businesses against cyber threats.

By implementing the guidelines, businesses can ensure that their data and IT systems are secure and that they are prepared for any security incidents.