SAP Logo LeanIX is now part of SAP
The Definitive Guide to

EBA Guidelines on ICT and Security Risk Management

The aim of the European Banking Authority's report is to create increased cyber security by implementing tighter regulations when it comes to outsourcing services.

Background of the EBA Guidelines

The aim of the European Banking Authority's report is to create increased cyber security by implementing tighter regulations when it comes to outsourcing services. These new EBA guidelines on ICT (Information and communications technology) are designed for all financial institutions and cover all methods of payment, including electronic money.

ICT guidelines or EBA guidelines affect cloud outsourcing and deployment in FinTech and are replacing the 2006 Committee of European banking Supervisors Guidelines on Outsourcing. In addition, they also include the EBA’s recommendations when it comes to outsourcing.

While the covered entities are defined in the guidelines, you will also find some details on specific procedures and obligations.

All financial institutions that fit the following criteria are obligated to follow the ICT guidelines as outlined in the report:

  • Any institutions within the EBA’s jurisdiction, including credit institutions like banks
  • Investment firms in the directive (EU) 2013/36 IV, also called the Capital Requirements Directive
  • Payment institutions and services
  • Electronic money institutions

A more extensive range of companies, now including FinTech, will face the challenge of remaining competitive in a fast-moving market while complying with the guidelines.

Since 30th September 2019, all institutions addressed in the report have to adhere to the new rules.


Rationale of the EBA Guidelines

The intricacy level of information and communication technologies is rising and so is the amount of security-related attacks. And frequently, the infrastructures used in ICT systems that help run a financial institution are interconnected.

Therefore, a breach in the system due to cyber incidents could potentially cause a total collapse of a vital infrastructure and lead to systemic impacts with devastating effects on an entire institution or, in the worst-case scenario, the world's financial markets.

What might seem like a doomsday scenario remains a possibility and poses an actual threat.

This prompted a response in the form of new EBA guidelines that establish how financial institutions need to address security risks and safeguard their ICT infrastructure. ICT and security management are a fundamental part of any financial institution's effort to meet its objectives in strategy, corporate expectations, operations management, and reputation.

PSP (Payment Service Provider) Provisions

The EBA guidelines also include Payment Service Providers. Whenever payment services are involved – including the issuance of electronic money from credit institutions and all activities beyond the payment services and investment firms – the guidelines apply.

In short, the PSPs that have to adhere to ICT guidelines include:

  • PSPs, as defined in Article 4(11) of PSD2.
  • Credit institutions and investment firms as defined in point 3 of Article 4(1) of (EU) No. 575/2013
  • Competent authorities defined in point 40 of Article 4(1) of (EU) No. 575/2013
  • The European Central Bank, in all matters related to tasks conferred by the regulation (EU) No. 1024/2013 and all competent authorities under PSD2 referenced in point (i) of Article 4(2) of Regulation (EU) No. 1093/2010

The guidelines apply to all of the above unless stated otherwise.

Leveling the Playing Field for All Institutions

The EBA guidelines are designed to integrate the rules published in December 2017 in Article 95 of PSD2, with the title “Guidelines on security measures for operational and security risks of payment services.”

To level the playing field, the guidelines also elaborate on topics geared toward the mitigation of ICT and security risks in financial institutions.

In addition, the ICT guidelines also elaborate on the European Commission's request set out in the Financial Technology (FinTech) action plan, which was published in March 2018.

Included is a request to the European Supervisory Authorities to create guidelines on ICT risk management and mitigation requirements in the European Union’s financial sector.

Addressing the Increase of Risk in Recent Years

The guidelines further address the spike in security risks as a result of the digitization of the financial sector and the interconnectedness of infrastructures, exposing everyone in the networks to attacks.

Through modern online telecommunication channels and wireless tech using wide area networks, the EU financial institutions open themselves up to increased risk. Not to mention all other financial institutions and third parties that are affiliated with EU institutions.

Through the ICT guidelines, institutions improve their cyber security and can better protect themselves from cyber-attacks. After all, cyber security risk management should be a part of a financial institution's overall security risk management.

Cyber-attacks have certain characteristics that should be taken into account when ensuring that information security measures are fit to combat cyber risks. This includes:

  1. Cyber-attacks are often hard to identify or eradicate, unlike other sources of financial institution risk. Quantifying the level of damage is also tricky.
  2. Some attacks can render risk management and continuity measures as well as disaster recovery procedures ineffective. It is possible for malware to spread corrupted data into the backup systems.
  3. Vendors, vendors' products, and other third-party service providers can be used as channels that propagate malware for a cyber-attack. The interconnectedness can be the method of risk propagation.

With the “Weakest Link Principle”, financial institutions and other market participants must work together to avoid security leaks.

The Three Lines of Defense Model

The ICT operational units are the first line of defense. That is why the EBA guidelines focus on the responsibilities of the managerial body first and then the second line of defense, which consists of the information security function.

After public consultation, the guidelines now reflect a change to include the responsibility of internal governance bodies in risk management related to cyber security.

A Better Way Forward

To better address the broader scope of provisions and matters regarding cyber security risk management, the requirements provided in the “Guidelines on the security measures for operational and security risks of payment services” are included and expanded in the new EBA guidelines.

In effect, the 2017 provisions were repealed because they do not proportionately address the nature, scope, or complexity of the institutions' risk management responsibility.

EBA guidelines on ICT and security risk management

In the EBA guidelines for security risk management, the approach is to find a way to address outsourcing, innovation and balance it with compliance. Despite requests from public consultants to delete FinTech from the report, the ICT guidelines explicitly include provisions for security risk management that include all the relevant industry players.

The guidelines are comprised of the following categories:


All the financial institutions are obligated to comply with the provisions in the EBA guidelines in a way that is proportionate to the size of the institution, its internal organization, scope, nature, complexity, and riskiness of the product/services provided.

Governance and Strategy

The security risk management is obligated to involve the management body to ensure adequate governance, high standards of quality, and staff skills as well as the approval, supervision, and implementation of robust ICT strategies.

Within their strategy, the institutions have to evolve to effectively support organizational structure, ICT system changes, third-party dependencies as well as their staff and processes.

ICT and Security Risk Management Framework

The institutions are obligated to identify and manage their infrastructure according to ICT guidelines. In addition to that, responsibility has to be directly assigned in order to manage and oversee ICT and security risks. This section covers assigning key roles and responsibilities, determining risk, and fixing problems from lessons learned.

A system of risk classification and assessment lays out how to mitigate risk and how to report relevant information according to the EBA guidelines. It also continuously audits the systems in place.

Information Security

Under information security, the EBA guidelines define what constitutes an acceptable information security policy for security risk management. The ICT guidelines also outline logical security, physical security, ICT operations security, security monitoring, information security reviews, assessment and testing, and information security training and awareness.

ICT Operations Management

In this section of the EBA guidelines, the financial institutions are advised to manage their ICT operations based on procedures and processes implemented by the management body. Incident and problem management are also covered, and it is explained how to best collaborate with the relevant responder in the event of an issue.

ICT Project and Change Management

The institutions are instructed to set up a project governance process that defines responsibilities, assigns roles, and lays out accountability to support the implementation of ICT guidelines and strategies.

You will also find a section on ICT systems acquisitions and development and the ICT management change protocol.

Business Continuity Management

In the event of severe business disruptions as a result of any cyber-attacks or security breaches, the institutions must be prepared to smoothly transition back into normalcy. The process described involves a business impact analysis, a business continuity and response plan, recovery plans, testing the plans, and finally setting up channels of communication during a crisis.

Payment Service User Relationship Management

The PSPs' security risk management is mandated to establish and implement processes that increase awareness of security risks linked to each service. In light of new threats, assistance and guidance have to be implemented.

The rest of the EBA guidelines for PSPs are about the detection of fraudulent or malicious account uses, and ways to prevent breaches by disabling certain functions.


The use of third-party providers – EBA outsourcing guidelines

In the EBA outsourcing guidelines, the authority defines outsourcing as an arrangement between a regulated institution and a service provider who performs a process, service, or activity that would normally be taken care of internally.

Thus, each institution is advised to determine which arrangements fall under third-party outsourcing. The rules are stricter on the more sensitive tasks that could cause disruptions like systemic failure when compromised.

The EBA guidelines on outsourcing state that the institutions have to ensure that their risk-mitigating measures are effective when using third-party providers.

Therefore, third-party providers fall under the institution's definition of risk management.

To make sure that there is continuity of ICT services and ICT systems, the EBA outsourcing guidelines recommend institutions to ensure that the contracts and service- agreements, include the following measures:

  • There has to be appropriate and proportionate information about the security-related objectives and measures. These have to include the minimum cyber security requirements, specs for the institution’s data life cycle, requirements about data encryption, network security and monitoring processes as well as the location of data centers.
  • The EBA outsourcing guidelines state that there need to be operational and security incident handling procedures that include escalation and reporting.

The financial institutions that enter into these agreements with third-party providers have to monitor and ensure that the level of compliance with the security measures, objectives, and performance targets are met.

The security standard of third-party providers has to be up to par with the standard of the institutions that hire them, as stated in the EBA outsourcing guidelines.



The EBA guidelines particularly name cloud services as the highest security risk.

Cloud deployment efforts have increased across most industries, which was accelerated by the pandemic, forcing more people to work from home. The EBA guidelines on outsourcing, aim to cover the potential areas of risk that come with cloud-based workplaces.

Through software like LeanIX, large institutions are given the necessary tools and services within their enterprise architecture, while effectively managing application portfolios.

For enterprises that use more than 100 applications in their day-to-day operations, maintaining application transparency is an extremely difficult task. Thus, effective application management makes it much easier to adhere to the EBA guidelines on outsourcing.

LeanIX helps the mentioned institutions to keep a handle on all software from different vendors. After all, with an emphasis on third-party provider monitoring, conforming to complex EBA guidelines is much more feasible than it seems.

Free White Paper

How to Manage IT Regulations with an EA Management Tool for Financial Institutions

Preview the first 7 Pages

Page: /

Fill out the form to get the full version