EU EBA GL/2019/04 — Guidelines on ICT and Security Risk Management
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
EU EBAGL/2019/04 — Guidelines on ICT and Security Risk Management is aregulatory framework that provides financial institutions withrequirements and best practices to identify, manage, and mitigateinformation and communication technology (ICT) and security risks.The guidelines aim to enhance operational resilience, safeguardsensitive data, and strengthen protections against cyber threats anddisruptions.
Published by theEuropean Banking Authority (EBA), this framework applies to creditinstitutions, investment firms, and payment service providers acrossthe European Union. It covers a broad range of areas, includingcybersecurity controls, risk assessment methodologies, incidentresponse planning, business continuity management, and regulatorycompliance with digital operational resilience requirements.
Organizationstypically integrate the EBA Guidelines into their risk management andsecurity programs by establishing robust ICT controls, conductingregular risk assessments, documenting incident handling processes,and aligning with other regulatory and industry frameworks such asDORA, ISO 27001, or NIST standards. This supports effectivegovernance, audit readiness, and ongoing compliance with EU financialsector regulations.
Why it Matters
The EBAGuidelines on ICT and Security Risk Management help financialinstitutions safeguard operations and customer data while meetingevolving regulatory expectations.
Key benefitsinclude:
• Strengthen ICT governance
Establish clearpolicies and accountability for managing technology and securityrisks across the organization.
• Enhance regulatory alignment
Supportcompliance with EU financial sector requirements by aligning internalcontrols to supervisory expectations and obligations.
• Promote operational resilience
Enableorganizations to anticipate, withstand, and recover from ICT-relateddisruptions and cyber threats more effectively.
• Improve incident response planning
Ensure thatprocesses for identifying, escalating, and managing securityincidents are structured, documented, and regularly tested.
• Support audit and compliance readiness
Facilitatethorough documentation and systematic evidence collection,streamlining external audits and regulatory reporting processes.
How it Works
The EU EBAGL/2019/04 — Guidelines on ICT and Security Risk Management isstructured around governance domains, a risk management lifecycle,and a set of security safeguards and regulatory requirements coveringICT operations, third party risk, incident reporting, andresilience testing. It establishes roles and responsibilities,control families, and processes for ongoing monitoring and continuousimprovement.
Organizationsapply the guidelines by conducting ICT risk assessments, implementingsecurity controls, formalizing governance and third partyarrangements, and integrating incident response and businesscontinuity plans. Firms map controls to the EBA requirements, performtesting and monitoring, collect evidence for compliance, and usefindings to prioritize remediation and elevate maturity acrosssecurity practices.
In SmartSuite,teams operationalize EU EBA GL/2019/04 by importing control librariesand mapping them to a risk register, managing policy governance andthird party inventories, and centralizing evidence collection.The platform enables compliance tracking, automated remediationworkflows, incident tracking, audit readiness, and reportingdashboards to support continuous monitoring and governance.
Key Elements
• ICT Governance Structure
Establishesoversight responsibilities, decision-making authorities, andaccountability for ICT and security risk management activities.
• ICT Risk Assessment Processes
Describesapproaches for identifying, evaluating, and prioritizing ICT-relatedthreats and vulnerabilities to information systems.
• Security Control Domains
Organizestechnical and organizational safeguards protecting criticalinfrastructure, sensitive data, and digital services.
• Incident Handling Framework
Specifiesmethods for detecting, reporting, and managing ICT and securityincidents, including response and communication protocols.
• Business Continuity Arrangements
Defines measuresto ensure operational resilience and continuity of critical functionsduring ICT disruptions or cyber events.
• Outsourcing and Third-Party Risk Management
Outlinesprocedures for evaluating, monitoring, and managing risks associatedwith external service providers and supply chains.
• Compliance and Audit Mechanisms
Providesstructures for ongoing monitoring, assessment, and demonstration ofadherence with regulatory and EBA guideline requirements.
Framework Scope
EU EBAGL/2019/04 — Guidelines on ICT and Security Risk Management isadopted by credit institutions, investment firms, and payment serviceproviders managing financial data and ICT assets. The frameworkoversees information systems and digital infrastructure, typicallyimplemented to meet regulatory obligations, improve ICT riskmanagement, and support operational resilience and complianceoversight.
Framework Objectives
EU EBAGL/2019/04 — Guidelines on ICT and Security Risk Management definesessential objectives for managing ICT and security risks in thefinancial sector.
• Strengthen cybersecurity risk management and organizationalgovernance practices
• Safeguard sensitive data through effective ICT security controlsand processes
• Enhance operational resilience against cyber threats anddisruptions
• Support compliance with EU regulatory requirements for financialinstitutions
• Improve data protection and safeguards for critical businessinformation
• Promote audit readiness and robust oversight of ICT riskmanagement EU EBA GL/2019/04 provides EU banking-specific guidance onICT and security risk management and operational resilience, oftenmapped to standards like ISO/IEC 27001/27002 and DORA and alignedwith GDPR requirements. Banks and financial institutions implement itfor regulatory compliance, strengthening operational resilience,security governance, and audit or supervisory preparedness.
Common Framework Mappings
Organizationsmap EBA ICT and security guidelines to other standards to achieveregulatory alignment, harmonize controls, and simplify audits acrossdata protection, operational resilience, and technical securityprograms.
Mappedframeworks include:
CIS CriticalSecurity Controls
EU DigitalOperational Resilience Act (DORA)
EU General DataProtection Regulation (GDPR)
ISO/IEC 27001
ISO/IEC 27002
NISTCybersecurity Framework
NIST SP 800-53
SWIFT CustomerSecurity Programme (CSP)
- ClassicifationCategoryOperational ResilienceDomainCybersecurityFramework FamilyOther
- Regulatory ContextTypeGuidanceLegal InstrumentGuidelineSectorFinancial SectorIndustryFinancial Services
- Region / PublisherRegionEuropean UnionRegion DetailEuropean UnionPublisherEuropean Banking Authority (EBA)
- VersioningVersionEBA/GL/2019/04Effective DateJune 30, 2020Issue DateDecember 19, 2019
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
The EBA ICT and Security Risk Management Guidelines are publicly available through the European Banking Authority.
How SmartSuite Supports EMEA EU EBA GL/2019/04
Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.
ICT Risk Requirement Library
Organize governance, security, and resilience expectations with clear ownership.
ICT Risk Assessments and Treatment
Run periodic assessments and track mitigations with approvals and timelines.
Outsourcing and Vendor Oversight
Manage provider due diligence, contract controls, and ongoing monitoring evidence.
Incident Response and Escalation Workflow
Track incident handling, classification, and reporting readiness with documentation.
Control Testing and Assurance
Schedule testing, monitoring, and evidence capture for key ICT controls.
Supervisory Readiness Reporting
Provide leadership and regulator-ready reporting on posture, gaps, and actions.
Related frameworks
CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.
DORA is an EU regulation requiring financial firms to manage ICT risks, report incidents, test security, and oversee third-party providers.
GDPR is an EU regulation that protects individuals' personal data and strengthens organizations' accountability for privacy.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
Frequently Asked Questions For EU EBA GL/2019/04 (Guidelines on ICT and Security Risk Management)
EU EBA GL/2019/04 is designed to help financial institutions identify, manage, and mitigate ICT and security risks. Its goal is to strengthen operational resilience, protect sensitive data, and prevent cyber threats and disruptions in the EU financial sector.
Yes, compliance is mandatory for EU credit institutions, investment firms, and payment service providers under EBA’s regulatory oversight. Firms must align their risk management and ICT security practices with the guidelines to fulfill legal and supervisory requirements.
The guidelines apply to credit institutions, investment firms, and payment service providers operating within the European Union. Third-party service providers may be covered indirectly through contractual requirements and risk management obligations.
Key requirements include establishing ICT governance frameworks, performing regular risk assessments, implementing technical and organizational security controls, managing third-party risks, and maintaining incident response and business continuity plans. Documentation and continuous monitoring are also essential parts of compliance.
Implementation involves conducting comprehensive ICT risk assessments, developing and updating ICT policies, mapping controls to specific requirements, formalizing incident handling, and integrating business continuity measures. Organizations are expected to document their approach, assign responsibilities, and test the effectiveness of controls regularly.
EU EBA GL/2019/04 aligns closely with the Digital Operational Resilience Act (DORA), ISO 27001, and NIST standards, ensuring harmonization of cybersecurity and operational risk practices. Organizations commonly map controls and requirements across these frameworks to leverage synergies and ensure comprehensive compliance.
Ongoing compliance requires institutions to perform continuous monitoring, regular control testing, updating of risk and incident records, and periodic review of ICT governance structures. Firms must also collect evidence of compliance, address audit findings, and adapt controls based on evolving threats and regulatory updates.
SmartSuite enables organizations to operationalize EU EBA GL/2019/04 by facilitating risk tracking, control management, and evidence collection. The platform supports compliance monitoring, audit readiness, incident and third-party tracking, and robust reporting to ensure effective governance and streamlined regulatory adherence.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.