EBA Guidelines on ICT and Security Risk Management

The EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04), which entered into force on 30 June 2020, apply to credit institutions, investment firms, and payment institutions under PSD2. They establish requirements across ICT governance, ICT risk management, ICT security, ICT operations management, ICT project and change management, business continuity management, and relationships with ICT third-party providers. The guidelines are structured around 10 chapters with granular implementation requirements, including specific obligations around ICT asset management (maintaining a current inventory), network security (network segmentation, monitoring for anomalous traffic), cryptography (key management lifecycle), and data security (classification, handling, and retention). For payment institutions, PSD2 Article 95 and EBA Guidelines EBA/GL/2017/17 on PSD2 security measures provide complementary requirements.

The technical implementation of EBA/GL/2019/04 centers on four engineering domains. First, ICT asset management: firms must maintain a continuously updated inventory of all ICT assets (hardware, software, data, and services) with classification by criticality and business function, typically implemented via a CMDB integrated with discovery tooling. Second, access control: the guidelines require multi-factor authentication for remote access and privileged accounts, separation of duties for critical systems, and periodic access reviews — all of which require integration between identity management systems and application-level access controls. Third, patch management: a documented vulnerability and patch management process with defined SLAs by severity class (critical patches within defined timeframes). Fourth, logging and monitoring: collection, retention, and analysis of security-relevant logs with defined retention periods and SIEM correlation rules for anomaly detection.

The EBA guidelines are being progressively superseded by DORA for in-scope entities. DORA Article 4 establishes an ICT risk management framework that expands on EBA/GL/2019/04 requirements, and DORA Article 64 provides that in-scope entities complying with DORA's ICT risk provisions are deemed compliant with relevant EBA guidelines. However, the EBA guidelines remain applicable to entities not in scope of DORA (smaller payment institutions, certain investment firms below DORA thresholds) and continue to inform supervisory examination frameworks. The most challenging implementation areas are ICT operational continuity (Chapter 8), which requires defined RTO and RPO for all critical systems with tested recovery procedures, and ICT change management (Chapter 7), which must integrate with development pipelines for application changes.

We implement EBA/GL/2019/04 compliance programs covering CMDB-based asset inventory, MFA and privileged access management, SIEM-based security monitoring, patch management workflows, and business continuity testing. Our delivery aligns the EBA baseline with DORA requirements, ensuring a single control framework serves both regulatory obligations for dual in-scope entities.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.