Skip to main content
European Insurance and Occupational Pensions Authority
News article12 October 2020

EIOPA finalises Guidelines on Information and Communication Technology Security and Governance

EIOPA Information and Communication Technology security and governance

Today, the European Insurance and Occupational Pensions Authority (EIOPA) finalised the Guidelines on Information and Communication Technology (ICT) Security and Governance.

These guidelines shall provide guidance to national supervisory authorities and market participants on how regulation regarding operational risks set forth in Directive 2009/138/EC and in the Commission's Delegated Regulation 2015/35 is applied in the case of ICT security and governance, considering as well EIOPA's Guidelines on System of Governance.

The objective of the guidelines is to promote the increase of the operational resilience of the digital operations of insurance and reinsurance undertakings against the risks they face. Operational resilience is key to protect insurance and reinsurance undertakings’ digital assets, including their systems and data from policyholders and beneficiaries. In particular, the guidelines:

  • provide clarification and transparency to market participants on the minimum expected information and cyber security capabilities, i.e. security baseline;
  • avoid potential regulatory arbitrage;
  • foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management.

EIOPA consulted on the guidelines between December 2019 and March 2020 and took into account the views of stakeholders wherever possible.

National supervisory authorities are expected to apply these guidelines from 1 July 2021.

Go to the Guidelines and the resolution of comments


Publication date
12 October 2020