EU EBA GL/2019/04 — Guidelines on ICT and Security Risk Management
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
EU EBA GL/2019/04 — Guidelines on ICT and Security Risk Management is a regulatory framework that provides financial institutions with requirements and best practices to identify, manage, and mitigate information and communication technology (ICT) and security risks. The guidelines aim to enhance operational resilience, safeguard sensitive data, and strengthen protections against cyber threats and disruptions.
Published by the European Banking Authority (EBA), this framework applies to credit institutions, investment firms, and payment service providers across the European Union. It covers a broad range of areas, including cybersecurity controls, risk assessment methodologies, incident response planning, business continuity management, and regulatory compliance with digital operational resilience requirements.
Organizations typically integrate the EBA Guidelines into their risk management and security programs by establishing robust ICT controls, conducting regular risk assessments, documenting incident handling processes, and aligning with other regulatory and industry frameworks such as DORA, ISO 27001, or NIST standards. This supports effective governance, audit readiness, and ongoing compliance with EU financial sector regulations.
Why it Matters
The EBA Guidelines on ICT and Security Risk Management help financialinstitutions safeguard operations and customer data while meetingevolving regulatory expectations.
Key benefits include:
- Strengthen ICT governance
Establish clearpolicies and accountability for managing technology and securityrisks across the organization.
- Enhance regulatory alignment
Supportcompliance with EU financial sector requirements by aligning internalcontrols to supervisory expectations and obligations.
- Promote operational resilience
Enableorganizations to anticipate, withstand, and recover from ICT-relateddisruptions and cyber threats more effectively.
- Improve incident response planning
Ensure thatprocesses for identifying, escalating, and managing securityincidents are structured, documented, and regularly tested.
- Support audit and compliance readiness
Facilitatethorough documentation and systematic evidence collection,streamlining external audits and regulatory reporting processes.
How it Works
The EU EBA GL/2019/04 — Guidelines on ICT and Security RiskManagement is structured around governance domains, a risk managementlifecycle, and a set of security safeguards and regulatoryrequirements covering ICT operations, third‑party risk,incident reporting, and resilience testing. It establishes roles andresponsibilities, control families, and processes for ongoingmonitoring and continuous improvement.
Organizations apply the guidelines by conducting ICT riskassessments, implementing security controls, formalizing governanceand third‑party arrangements, and integrating incident responseand business continuity plans. Firms map controls to the EBArequirements, perform testing and monitoring, collect evidence forcompliance, and use findings to prioritize remediation and elevatematurity across security practices.
In SmartSuite, teams operationalize EU EBA GL/2019/04 by importingcontrol libraries and mapping them to a risk register, managingpolicy governance and third‑party inventories, and centralizingevidence collection. The platform enables compliance tracking,automated remediation workflows, incident tracking, audit readiness,and reporting dashboards to support continuous monitoring andgovernance.
Key Elements
- ICT Governance Structure
Establishesoversight responsibilities, decision-making authorities, andaccountability for ICT and security risk management activities.
- ICT Risk Assessment Processes
Describesapproaches for identifying, evaluating, and prioritizing ICT-relatedthreats and vulnerabilities to information systems.
- Security Control Domains
Organizestechnical and organizational safeguards protecting criticalinfrastructure, sensitive data, and digital services.
- Incident Handling Framework
Specifies methodsfor detecting, reporting, and managing ICT and security incidents,including response and communication protocols.
- Business Continuity Arrangements
Defines measuresto ensure operational resilience and continuity of critical functionsduring ICT disruptions or cyber events.
- Outsourcing and Third-Party Risk Management
Outlinesprocedures for evaluating, monitoring, and managing risks associatedwith external service providers and supply chains.
- Compliance and Audit Mechanisms
Providesstructures for ongoing monitoring, assessment, and demonstration ofadherence with regulatory and EBA guideline requirements.
Framework Scope
EU EBA GL/2019/04 — Guidelines on ICT and Security Risk Managementis adopted by credit institutions, investment firms, and paymentservice providers managing financial data and ICT assets. Theframework oversees information systems and digital infrastructure,typically implemented to meet regulatory obligations, improve ICTrisk management, and support operational resilience and complianceoversight.
Framework Objectives
EU EBA GL/2019/04 — Guidelines on ICT and Security Risk Managementdefines essential objectives for managing ICT and security risks inthe financial sector.
Strengthen cybersecurity risk management and organizationalgovernance practices
Safeguard sensitive data through effective ICT security controls andprocesses
Enhance operational resilience against cyber threats and disruptions
Support compliance with EU regulatory requirements for financialinstitutions
Improve data protection and safeguards for critical businessinformation
Promote audit readiness and robust oversight of ICT risk managementEU EBA GL/2019/04 provides EU banking-specific guidance on ICT andsecurity risk management and operational resilience, often mapped tostandards like ISO/IEC 27001/27002 and DORA and aligned with GDPRrequirements. Banks and financial institutions implement it forregulatory compliance, strengthening operational resilience, securitygovernance, and audit or supervisory preparedness.
Framework in Context
EU EBA GL/2019/04provides EU banking-specific guidance on ICT and security riskmanagement and operational resilience, often mapped to standards likeISO/IEC 27001/27002 and DORA and aligned with GDPR requirements.Banks and financial institutions implement it for regulatorycompliance, strengthening operational resilience, securitygovernance, and audit or supervisory preparedness.
Common Framework Mappings
Organizations map EBA ICT and security guidelines to other standardsto achieve regulatory alignment, harmonize controls, and simplifyaudits across data protection, operational resilience, and technicalsecurity programs.
Mapped frameworks include:
CIS Critical Security Controls
EU Digital Operational Resilience Act (DORA)
EU General Data Protection Regulation (GDPR)
ISO/IEC 27001
ISO/IEC 27002
NIST Cybersecurity Framework
NIST SP 800-53
SWIFT Customer Security Programme (CSP)
- ClassificationCategoryOperational ResilienceDomainCybersecurityFramework FamilyOther
- Regulatory ContextTypeGuidanceLegal InstrumentGuidelineSectorFinancial SectorIndustryFinancial Services
- Region / PublisherRegionEuropean UnionRegion DetailEuropean UnionPublisherEuropean Banking Authority (EBA)
- VersioningVersionEBA/GL/2019/04Effective DateJune 30, 2020Issue DateDecember 19, 2019
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
The EBA ICT and Security Risk Management Guidelines are publicly available through the European Banking Authority.
How SmartSuite Supports EMEA EU EBA GL/2019/04
Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.
ICT Risk Requirement Library
Organize governance, security, and resilience expectations with clear ownership.
ICT Risk Assessments and Treatment
Run periodic assessments and track mitigations with approvals and timelines.
Outsourcing and Vendor Oversight
Manage provider due diligence, contract controls, and ongoing monitoring evidence.
Incident Response and Escalation Workflow
Track incident handling, classification, and reporting readiness with documentation.
Control Testing and Assurance
Schedule testing, monitoring, and evidence capture for key ICT controls.
Supervisory Readiness Reporting
Provide leadership and regulator-ready reporting on posture, gaps, and actions.
Related frameworks
CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.
DORA is an EU regulation requiring financial firms to manage ICT risks, report incidents, test security, and oversee third-party providers.
GDPR is an EU regulation that protects individuals' personal data and strengthens organizations' accountability for privacy.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
Frequently Asked Questions For EU EBA GL/2019/04 (Guidelines on ICT and Security Risk Management)
EU EBA GL/2019/04 is designed to help financial institutions identify, manage, and mitigate ICT and security risks. Its goal is to strengthen operational resilience, protect sensitive data, and prevent cyber threats and disruptions in the EU financial sector.
Yes, compliance is mandatory for EU credit institutions, investment firms, and payment service providers under EBA’s regulatory oversight. Firms must align their risk management and ICT security practices with the guidelines to fulfill legal and supervisory requirements.
The guidelines apply to credit institutions, investment firms, and payment service providers operating within the European Union. Third-party service providers may be covered indirectly through contractual requirements and risk management obligations.
Key requirements include establishing ICT governance frameworks, performing regular risk assessments, implementing technical and organizational security controls, managing third-party risks, and maintaining incident response and business continuity plans. Documentation and continuous monitoring are also essential parts of compliance.
Implementation involves conducting comprehensive ICT risk assessments, developing and updating ICT policies, mapping controls to specific requirements, formalizing incident handling, and integrating business continuity measures. Organizations are expected to document their approach, assign responsibilities, and test the effectiveness of controls regularly.
EU EBA GL/2019/04 aligns closely with the Digital Operational Resilience Act (DORA), ISO 27001, and NIST standards, ensuring harmonization of cybersecurity and operational risk practices. Organizations commonly map controls and requirements across these frameworks to leverage synergies and ensure comprehensive compliance.
Ongoing compliance requires institutions to perform continuous monitoring, regular control testing, updating of risk and incident records, and periodic review of ICT governance structures. Firms must also collect evidence of compliance, address audit findings, and adapt controls based on evolving threats and regulatory updates.
SmartSuite enables organizations to operationalize EU EBA GL/2019/04 by facilitating risk tracking, control management, and evidence collection. The platform supports compliance monitoring, audit readiness, incident and third-party tracking, and robust reporting to ensure effective governance and streamlined regulatory adherence.
Manage controls, risks, evidence, and audits in one platform designed for modern governance, risk, and compliance.