Skip to main content

EIOPA Guidelines on Information and Communication Technology Security and Governance

Key insights and self-assessment checklist

On 12 October 2020, the European Insurance and Occupational Pensions Authority (EIOPA) issued its Guidelines on Information and Communication Technology Security and Governance (“the Guidelines”) in accordance with Article 16 of Regulation (EU) No 1094/20104 harmonizing the European Commission's FinTech Action Plan (COM/2018/0109 final) and EIOPA’s Supervisory Convergence Plan 2018–2019.

The Guidelines provide guidance on the sound information and communication technology (ICT) governance and security practices that insurance and reinsurance undertakings should implement to mitigate their technological risks appropriately.

The EIOPA Guidelines cover 25 topics, each containing a set of specific requirements. The self-assessment checklist provided in the article summarizes those 25 topics, allowing to determine the readiness level of ICT security and governance management processes and to identify any potential gaps before the Guidelines come into force.

The Guidelines encompass seven main areas:


1. Governance and strategy

Establish governance to effectively support the ICT strategy

2. ICT and security risk management

Ensure ICT and security risks are identified and addressed appropriately

3. ICT operations management

Implement efficient and controlled ICT operations processes

4. Information security

Protect the confidentiality, integrity and availability of customer and business data

5. ICT project and change management

Manage projects and changes effectively to meet business and security objectives

6. Business continuity management

Maintain the business function under unforeseen circumstances

7. Outsourcing

Protect outsourced IT services appropriately

The Guidelines represent a key step for the insurance sector to align with the European Commission’s aim to improve and harmonize the digital operational resilience of the EU’s financial services (as envisioned by the legislative proposal for a Digital Operational Resilience Act).

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey