Guidelines on information and communication technology security and governance

In accordance with Article 16 of Regulation (EU) No 1094/20104 EIOPA issues these Guidelines addressed to the supervisory authorities to provide guidance on how insurance and reinsurance undertakings should apply the governance requirements foreseen in Directive 2009/138/EC5 (“Solvency II Directive”) and in Commission Delegated Regulation (EU) No 2015/356 (“Delegated Regulation”) in the context of information and communication technology security and governance.

The objective of these Guidelines is to:

  • provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;
  • avoid potential regulatory arbitrage;
  • foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management.