Skip to main content
Logo Logo
English
European Insurance and Occupational Pensions Authority

2302

Q&A

Question ID: 2302

Regulation Reference: (EU) No 2015/35 - supplementing Dir 2009/138/EC - taking up & pursuit of the business of Insurance and Reinsurance (SII)

Topic: Other

Article: Articles 41, 44 of SII Directive; Articles 258, 259, 274 of Delegated Regulation 2015/35(N/A)(N/A)

Status: Final

Date of submission: 09 Jun 2021

Question

EIOPA Guideline on information and communication technology security and governance

The Danish FSA has processed the content of the guidelines and has two questions in that regard. Specifically regarding “guideline 3 – ICT strategy” and “guideline 7 - Information security function”. Can you please refer to the specific provisions of legislative acts, associated delegated and implementing acts, which you consider as the legal hook for these two guidelines? 

EIOPA answer

The purpose of the EIOPA guidelines on ICT security and governance is to ensure a common, uniform and consistent application of supervisory practices providing clarification to market participants on the minimum expected security baseline.

As such, guidelines 3 (ICT strategy), 17 (on the role of the AMSB in the risk management system) and 21 (on Operational risk management policy) complement the framework already laid out by the Solvency II Directive (namely Article 41 paragraphs 1 and 4 on general governance requirements and article 44 paragraph 1 and 2 (e) on risk management) and Delegated Acts (article 258 paragraph 1 (b), (h), (j), (k) and 6 on general governance requirements and article 259 paragraph 1 (a) on risk management system). Furthermore, a reference to the EIOPA Guidelines on system of Governance can also be made.

Guideline 7 (Information security function) also complements the framework already laid out in the Solvency II Directive (article 41 paragraphs 1 and 2 on general governance requirements, article 44 paragraphs 1 and 2 (e) on risk management and 49 paragraph 1 (a), (b) and (d) on outsourcing) and Delegated Acts (article 258 paragraphs 1 (a), (f), (g), (k) and 5 on general governance requirements and article 274 paragraphs 3 (a), (e), (f) and 4 (b), (c), (f), (g) on outsourcing).