Guidelines on ICT and security risk management

Status: Final and translated into the EU official languages

These draft Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single market. Once into force, these Guidelines will replace those on security measures for operational and security risks (EBA GL/2017/17), which will then be repealed.

Links

Guidelines on security measures for operational and security risks under the PSD2

Summary of document history

Current version Ongoing versions

This document consolidates EBA/GL/2019/04 and EBA/GL/2025/02. It is meant purely as a documentation tool and the EBA does not assume any liability for its contents.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Pillar 3 data hub

Reporting

Data

Publications

Media centre

Guidelines on ICT and security risk management

Summary of document history

Consolidated version of EBA ameding Guidelines on ICT and security risk management

Press contacts