Skip to main content

Technology and Digital (ICT) Regulatory Compliance

Assessing your Compliance with ICT Regulatory requirements and remediation of identified gaps

The ICT Regulatory requirements for the financial services industry continues to evolve at a rapid pace. The impact of these changes could result in significant changes in existing products, operations and services offered by you to your clients. Deloitte serves clients across the financial industry and can assist you in the evaluation of the impact of EU and local ICT regulation on your business and help you to further strength your Compliance.


On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA). The legislative proposal builds on existing information and communications technology (ICT) risk management requirements already developed by other EU institutions and ties together several recent EU initiatives into one Regulation. The DORA aims to establish a much clearer foundation for EU financial regulators and supervisors to be able to expand their focus from ensuring firms remain financially resilient to also making sure they are able to maintain resilient operations through a severe operational disruption.

EBA guidelines

The benefits of digitalization also opens up financial service providers to increased and new risks. Cyberattacks make it clear how vulnerable IT systems are. The Guidelines on ICT and Security Risk Management (EBA/GL/ 2019/04) of the European Banking Authority (EBA) therefore specify essential requirements for ICT/IT systems. In recent years, and in particular due to the COVID-19 pandemic, financial service providers have increasingly offered online services, which also requires measures to ensure the availability of these services and the protection of their users from fraud. In times of general uncertainty, regulators also want to create a uniform and transnational framework. In order to achieve this, the present guideline, with its entry into force on 30 June 2020, will also include the guide applicable to FMA-supervised credit institutions. The ICT and Security Risk Management guidelines also links aptly with EBA Guidelines on Outsourcing (EBA/GL/2019/02) which entered into force on the 30 September 2019. The outsourcing guidelines focus on ensuring the effectiveness of the risk-mitigating measures when outsourcing or using third party providers (including cloud providers).


In 2017, SWIFT issued its Customer Security Controls Framework (CSCF) in response to cyber-attacks where hackers successfully breached the local operating environment established by SWIFT users. This framework aims to limit opportunities that hackers have to exploit weaknesses in SWIFT users' local environments. As part of the SWIFT Customer Security Programme (CSP) SWIFT users need to implement the cyber security controls defined in the CSCF in their local environments. On a yearly basis, SWIFT users need to attest against these controls and since 2021 this assessment needs to be supported by an independent party.


The Revised Payment Services Directive (PSD2) is an important step towards the implementation of a Single Euro Payments Area (SEPA). Although PSD2 is an EU regulation, it’s expected to have a major impact on how banks, payment processors, and fintech firms do business globally. PSD2 aims at making payments more efficient, swift and secure for consumers. By doing so, it will increase competition as new players will enter the market.

As an affected stakeholder, you will face fundamental regulatory and technology challenges. Throughout this transition period, Deloitte is able to support you in assessing  your current state of compliance and furthermore in remediationactivities to be compliant with the regulation.

AI Act

On April 21, 2021, the European Commission published its draft of the Artificial Intelligence Act (AI Act). With the increase of AI development and used across all sectors, the EU decided to address the potential high risks it poses to safety and fundamental rights equally. The Artificial Intelligence Act is an uniform legal framework for the development, marketing and use of AI systems. Each AI system will be subject to a risk assessment. The EU will define regulations and responsibilities for high-risk AI systems such as system used as safety component or systems which may pose a threat to the fundamental rights of persons. Other AI system will need to apply the transparency rules (notification of any IA use).

How we can help

Deloitte has developed a comprehensive and structured approach for ICT Regulatory Compliance. Our methodology for preparing and delivering ICT Regulatory Compliance follows a phased approach which is customised to meet specific business and regulations needs of our clients. Our approach incorporates a risk-centric focus, while also identifying the effective and efficient methods for identifying scope, assessing of and advising on required controls and executing the tasks and activities associated with Regulatory Compliance.