17 October 2022
The European Banking Authority (EBA) published today the conclusion of its peer review of how competent authorities supervise institutions’ ICT risk management and have implemented the EBA Guidelines on ICT risk assessment under the supervisory review and evaluation process (SREP). Overall, the analysis suggests that the competent authorities across the EU have applied a risk-based approach to the supervision of ICT risk management. The EBA has not identified any significant concerns regarding the supervisory practices but makes some general recommendations for further improvements.
The peer review findings suggest that the EU competent authorities have largely implemented the EBA Guidelines on ICT Risk Assessment under the SREP and applied them in their supervisory practices.
The findings also suggest that the competent authorities have applied a risk-based approach to the supervision of ICT risk management where the depth and frequency of the assessments correlate with the level of ICT risk of the institutions.
The peer review did not raise significant concerns regarding the supervisory practices on ICT risk management, but the EBA makes a number of general recommendations to further strengthen supervisory practices. The peer review also includes recommendations to the EBA to incorporate a number of identified good practices into the Guidelines on ICT risk assessment under the SREP when the latter will be reviewed in the future.
Legal basis and background
Article 30 of the EBA Regulation requires the EBA to periodically conduct peer reviews of some or all of the activities of competent authorities within its remit, to further strengthen consistency and effectiveness in supervisory outcomes. In addition, the peer review shall include an assessment of, but shall not be limited to the effectiveness and the degree of convergence reached in the application of Union law and in supervisory practice, including guidelines adopted pursuant to Article 16 of the EBA Regulation, and the extent to which the supervisory practice achieves the objectives set out in Union law. The EBA shall produce a report setting out the results of the peer review.
As part of its peer review work plan for 2020-2021, and following the process in Article 30 of the EBA regulation and the EBA peer review methodology, the EBA’s Ad hoc Peer Review Committee (PRC) conducted a peer review on the supervision of institutions’ ICT risk management and the implementation of the EBA Guidelines on ICT risk assessment under the SREP.