Global menu

Our global pages


EBA Guidelines on ICT and Security Risk Management – Impact on Outsourcing Arrangements

  • United Kingdom
  • Commercial and IT
  • Outsourcing and offshoring



On 28 November 2019, the European Banking Authority (“EBA”) published its final guidelines[1] on information and communication technology (“ICT”) and security risk management (EBA/GL/2019/04) (the “Guidelines”). The Guidelines are issued pursuant to Article 16 of Regulation (EU) No 1093/2010 establishing a European Supervisory Authority (European Banking Authority). They build on the provisions in Article 74 of the CRD IV Directive (2013/36/EU) regarding internal governance and derive from the mandate to issue guidelines in  Article 95 (3) of the Payments Services Directive ((EU) 2015/2366) (“PSD2”).

The Guidelines set out the EBA’s view of appropriate supervisory practices within the European System of Financial Supervision and of how European Union law should be applied. They specify the risk management measures that financial institutions must take in order to manage the ICT and security risks they are exposed to.  The Guidelines include requirements for information security, including cybersecurity, to the extent that information is held on ICT systems.

What is the purpose of the Guidelines?

The Guidelines have been issued in response to the ever increasing complexity and frequency of ICT and security-related incidents and particularly the risk of such incidents posing systematic impact due to the interconnectedness of financial institutions.  In their preliminary wording introducing the Guidelines, the EBA recognises the vulnerability of financial institutions to external security attacks, including cyber-attacks, due to increasing digitisation and increasing interconnectedness with other financial institutions and third parties and the need for preparedness for cyber-security. 

The Guidelines set out how financial institutions should manage and mitigate the ICT security risks to which they are exposed and aim to ensure a consistent and robust approach across the single market[2]. They also seek to provide financial institutions with a better understanding of the supervisory expectations for the management of ICT and related security risks.  

Who do they apply to?

The Guidelines apply to all financial institutions as defined in paragraph 9 of the Guidelines (i.e. credit institutions, investment firms and payment service providers (“PSPs”)). For credit institutions and investment firms, the Guidelines are applicable to all activities which they undertake, whereas for PSPs the Guidelines apply only to their payment services activities. The Guidelines also apply to competent authorities.   The Guidelines therefore have a wider application than the previous PSD2 guidelines. The EBA has issued a clarification stating that the requirements imposed by the Guidelines apply for any outsourcing or use of third parties, regardless of the geographical location of the parent entity[3].

Risk management measures

In order to effectively manage risk, the Guidelines contain requirements in each of the following areas:

-       governance:[4]the establishment of sound internal governance and an internal control framework for ICT and security risks that sets clear responsibilities for financial institutions’ staff and their management bodies;

-       ICT strategy:[5] the establishment of the financial institution’s ICT strategy (aligned with its own business strategy), the management and mitigation of ICT and security risks through an independent and objective control function separated from ICT operations processes and not responsible for any internal audit, and an independent internal audit function. The financial institution’s management body has overall accountability in relation to the implementation and oversight of the ICT strategy;

-       ICT security:[6the establishment of an information security policy and the implementation of security measures to mitigate the ICT and security risks that financial institutions are exposed to, including organisation and governance, logical security, physical security, ICT operations security, security monitoring, information security review, assessment and testing, information security training and awareness;

-       ICT operations management:[7management of ICT operations based on documented and implemented processes and procedures, including maintenance of an up to date inventory of ICT assets and incident and problem management processes;

-       ICT project and change management:[8includes the acquisition, development and maintenance of ICT systems and services. Financial institutions should ensure that changes to production systems are assessed, tested, approved and implemented in a controlled manner. The aim is to ensure that ICT projects have appropriate governance and oversight and that the development of applications is carefully monitored from the test phase to the production phase; and

-       business continuity:[9developing response and recovery plans, including testing, and their consequent updating based on the test results. Specifically, the Guidelines highlight importance of not separating ICT business continuity management processes from the overall financial institution’s business continuity management process.

What will be the likely impact on third party providers?

The EBA has deliberately taken a high-level approach when preparing the Guidelines in respect of  outsourcing arrangements. This is in order encourage financial institutions to set out their own principle-based requirements on ICT and security management. In addition, the EBA intentionally do not refer to specific technologies, in order to ensure that the Guidelines remain future proof.

Section 3.2.3 – Use of third party providers – addresses this issue.

First, the Guidelines require financial institutions to ensure that the risk-mitigation measures as defined by their risk management framework, including the measures set out in the Guidelines, are fully effective. This applies when operational functions of payment services and/or ICT services and ICT systems of any activity are outsourced, either to group entities or to third parties.

Secondly, the Guidelines specify that, in order to ensure continuity of ICT services and systems, financial institutions’ contracts and service level agreements with providers (outsourcing providers, group entities, or third party providers) should include:

a)    appropriate and proportionate information security-related objectives measures including requirements such as:

i.        minimum cybersecurity requirements;

ii.        specifications of the financial institution’s data life cycle, and requirements regarding data encryption, network security and security monitoring processes;

iii.        the location of data centres; and

b)    operational and security incident handling procedures, including escalation and reporting. 

Thirdly, the Guidelines require that financial institutions should monitor and seek assurance on the level of compliance of these providers with the security objectives, measures and performance targets of the financial institution.

In practice, in the context of an outsourcing arrangement the Guidelines will mean that financial institutions will need to review their requirements in respect of their third party providers in order to ensure that the new requirements of the Guidelines are met and that the institution’s risk management strategy remains effective.

Approach to Implementation

The above requirements, like the remainder of the Guidelines, lack detail as to how they should be implemented. The Guidelines do not specify, for example, what level of encryption is required but simply state that an outsourcing contract should consider and include this detail.  The EBA explains elsewhere[10] that it has deliberately chosen to set out high-level principle-based requirements rather than detailed and prescriptive requirements so as to allow financial institutions to adapt their risk management strategies to new challenges and developments and to anticipate and mitigate future ICT and security risks.

The Guidelines should, however, be implemented in accordance with the principle of proportionality[11]. This means that financial institutions should comply with the Guidelines in such a way that is proportionate to, and takes account of, each financial institutions’ size, internal organisation, as well as the nature, scope, complexity and risks associated with of the services and products the financial institution provides.

The EBA has issued clarifications in relation to a potential misunderstanding when interpreting this principle in its response to comments raised on a prior draft of the Guidelines. This is that the Guidelines are ‘size neutral’ and are applicable to all addressees, and it is for to each financial institution to apply the Guidelines in a proportionate manner[12].

How do the Guidelines interact with the EBA Guidelines on outsourcing arrangements?

The Guidelines complement and should be read in conjunction with the EBA Guidelines on outsourcing arrangements.  The same applies for the supervisory assessment to the applicable institutions in the EBA Guidelines on ICT risk assessment under the Supervisory Review and Evaluation Process (EBA/GL/2017/05) 

Key dates

The Guidelines apply from 30 June 2020. Thereafter the EBA guidelines on security measures for operational and security risks under PSD2 will be repealed.

[1] European Banking Authority – Final Guidelines on ICT and security risk management link to PDF:

[2] EBA’s website description of the Guidelines:

[3] Clarification, the EBA’s analysis, page 51 of the Guidelines.

[4] Section 3.2.1 of the Guidelines.

[5] Section 3.2.2 of the Guidelines.

[6] Section 3.4 of the Guidelines.

[7] Setion 3.5 of the Guidelines.

[8] Section 3.6 of the Guidelines.

[9] Section 3.7 of the Guidelines.

[10] Section 4.1 (E), option 2b of the Guidelines.

[11] Section 3.1 of the Guidelines.

[12] Clarification, the EBA’s analysis page 46 of the Guidelines.