These are the comments from Bits on behalf of the Norwegian banking industry. We believe that the requirements may form a good basis for ICT and information security related areas for financial institutions. As mentioned in chapter 3, cyber security threats have some inherent characteristics that require specific measures that may not be covered by the institutions regular risk management processes. However, we believe that the guidelines in some areas are too prescriptive, hence limiting the available options for the financial institutions, especially for new and unknown threats. The guidelines should focus more on the outcomes than the ‘how’ to enable the financial institutions ability to handle the diversity of cyber threats.