On May 11, 2017, the EBA published a report (EBA/GL/2017/05) containing its final guidelines on information and communication technology (“ICT“) risk assessment under the supervisory review and evaluation process (“SREP“) required under the CRD IV Directive (2013/36/EU).

The guidelines are addressed to competent authorities and aim at promoting common procedures and methodologies for the assessment of ICT risk. They should be read in conjunction with the EBA SREP Guidelines, which continue to remain applicable as appropriate.

The guidelines are contained in section 3 of the report and are structured around three main parts:

1. the general provisions for applying the guidelines (Title 1);
2. the assessment of the institution’s ICT governance and strategy (Title II); and
3. the assessment of ICT risk and the controls in place in the context of risks to capital (Title III), which reflects the same structure as the EBA SREP Guidelines on the assessment of operational risk.

Competent authorities should consider the principle of proportionality when applying the guidelines. The depth and detail of the ICT risk assessment should be proportionate to the size, structure and operational environment of the institution, together with the nature, scale and complexity of its activities.

The guidelines are to be translated into the official EU languages and published on the EBA website. They will be in effect on January 1, 2018.