The European Banking Authority has published final Guidelines on the assessment of the Information and Communication Technology (ICT) risk in the context of the Supervisory Review and Evaluation Process (SREP). These final Guidelines are a result of a consultation that ended on January 6, 2017. The Guidelines will apply to national EU regulators and aim to promote common procedures and methodologies for their assessment of ICT risk. The Guidelines will apply from January 1, 2018.
The increasing significance and complexity of ICT risk within the banking industry and in individual institutions galvanized the EBA to produce these Guidelines to assist national regulators in their assessment of ICT risk as part of the SREP. Thus, these Guidelines should be read in conjunction with the EBA SREP Guidelines, which continue to remain applicable as appropriate.
While these Guidelines do not impose any additional reporting obligations, a national regulator may be able to request, if necessary, additional information from the relevant firm.
View the final Guidelines.
View the Consultation Paper.
View the EBA SREP Guidelines.
