EBA guidelines on risk management

Launch of new risk management guidelines for the financial sector


The European Banking Authority (EBA) published its draft guidelines on Information and Communication Technology (ICT) and security risk management in December 2018. When the finalized guidelines come into force the EBA will require all payment service providers (PSPs), credit institutions and investment firms to make every effort to comply with these guidelines.

Derived from PSD2

These guidelines build on the requirements on security measures for operational security risks as mandated under Article 95 of Directive 2015/2366/EU (PSD2). Those requirements were addressed to PSPs and their payment services, however their relevance was in fact for a broader set of institutions. Applicable parts under the PSD2 Directive will be repealed after these guidelines come into force.

Why new guidelines

The main objective of the guidelines is to establish harmonized requirements for PSPs, credit institutions and investment firms in order to achieve better risk management. The complexity of ICT is increasing and the frequency of ICT related incidents, including cyber incidents, is rising together with their potential significant adverse impact on the operations of financial institutions. In addition, due to the interconnections between financial institutions, ICT related incidents risk causing systemic impact. Therefore, it is critical that financial institutions manage the ICT risks they have.

Harmonization of the requirements helps financial institutions implement the guidelines as specified by the EBA. Areas covered include, but are not limited to, governance, risk management and information security. But in order to meet the requirements in an efficient and effective manner it is imperative that organizations take a holistic approach and not take on the guidelines in a piecemeal fashion.

Seadot Cybersecurity offers

Regulatory compliance is everywhere. Seadot cybersecurity have extensive experience in regulations such as the EBA guidelines and we offer organizations in the financial industry our expertise. Risk management is complex and require a deep understanding of the ever-changing technology and threat landscape as well as business and information risks. Through our experienced consultants we work together with the financial industry throughout the Nordics to implement efficient and effective ICT and security risk management.

Are you responsible for compliance, risk management or cyber security? Then reach out to Seadot Cybersecurity for an initial discussion on your challenges.

  Download pdf

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram