EBA consults on ICT risk

  • News
  • 6 October 2016
The European Banking Authority (EBA) launched today a consultation on its draft Guidelines on the assessment of the Information and Communication Technology (ICT) risk in the context of the Supervisory Review and Evaluation Process (SREP). These draft Guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk. The consultation runs until 06 January 2017.
The growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions, as well as the increasing potential adverse prudential impact from this risk on an institution and on the sector as a whole led the EBA to develop these Guidelines on its own initiative to assist competent authorities in their assessment of ICT risk as part of the SREP. 
These Guidelines build on existing references to ICT risk in the EBA SREP guidelines providing the scope and methodology for the assessment of ICT risk within an institution. The guidelines are structured around 3 main parts: (i) setting the context and scope of the ensuing assessment; (ii) addressing what competent authorities should expect to see with regard to management of ICT risks at senior management level and management body level, as well as the assessment of an institution's ICT strategy and its alignment with the business strategy; and (iii) covering the assessment of the institution‘s ICT risk exposures and the effectiveness of controls. The assessment contained in these guidelines feeds into the EBA SREP methodology more generally, therefore, they should be read along with the EBA SREP Guidelines , which continue to remain applicable as appropriate.

Consultation process

‎Comments to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. All contributions received will be published following the close of the consultation, unless requested otherwise. Please note that the deadline for the submission of comments is 06 January 2017. A public hearing will take place at the EBA premises on 22 November from 13.30 to 16.30 UK time. 

Legal basis

The EBA has developed these Guidelines on its own initiative in accordance with Article 16 of Regulation (EU) No 1093/2010 which envisages that the Authority shall issue guidelines with a view to ensuring the common, uniform and consistent application of Union law and to establish consistent, efficient and effective supervisory practices within the European System of Financial Supervision.


Consultation Paper on Guidelines on ICT Risk Assessment under the SREP (EBA-CP-2016-14)

(566.04 KB - PDF) Last update 6 October 2016

Press contacts

Franca Rosa Congiu