Financial Regulatory Requirements
EBA is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
EBA Guidelines on ICT and security risk management: Released by EBA on November 29, 2019. These draft Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single market.
EBA Guidelines on outsourcing arrangements: Released by EBA on February 25, 2019. These Guidelines provide a clear definition of outsourcing and specify the criteria to assess whether or not an outsourced activity, service, process or function (or part of it) is critical or important.
ESMA is an independent EU authority whose purpose is to enhance investor protection, promote orderly financial markets, and safeguard financial stability.
Outsourcing Guidelines to cloud service providers: Released by ESMA on May 10, 2021. The objectives of these guidelines are to establish consistent, efficient, and effective supervisory practices within the European System of Financial Supervision (ESFS) and to ensure the common, uniform, and consistent application of the requirements. In particular, these guidelines aim to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements, from making the decision to outsource, selecting a cloud service provider, monitoring outsourced activities to providing for exit strategies.
EIOPA is at the heart of insurance and occupational pensions supervision in the EU. Its mission is to protect the public interest. EIOPA does this by helping ensure the short-, medium- and long-term stability and effectiveness of the financial system for the EU's economy, businesses and people.
Guidelines on outsourcing to cloud service providers: Released by EIOPA on January 31, 2020. It sets out the final text of the EIOPA Guidelines on outsourcing to cloud service providers.
Guidelines on information and communication technology security and governance:
Released by EIOPA on October 8, 2020. The objective of these Guidelines is to:
a) Provide clarification and transparency to market participants on minimum expected information and cybersecurity capabilities.
b) Avoid potential regulatory arbitrage.
c) Foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management.
The Central Bank of Ireland is a financial service regulator of the Republic of Ireland. It supervises credit institutions, securities markets and brokers, fund managers, payment service providers, investment companies, and insurance and reinsurance companies. Its mission is to serve the public interest by safeguarding monetary and financial stability and by working to ensure that the financial system operates in the best interests of consumers and the wider economy.
Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks: Issued by Central Back of Ireland in September 2016, sets out guidance on information technology ("IT") and cybersecurity governance and risk management for regulated firms in Ireland. The guidance also articulates some observations that combine practices of regulatory work undertaken by the central bank during 2015 and 2016 to assess operational, governance, and strategic risks related to IT and cybersecurity in regulated firms. The guidance sets out the current thinking of the central bank as to best practices that regulated firms should use to develop effective IT and cybersecurity governance and risk management frameworks.
Cross Industry Guidance on Outsourcing: Issued by the Central Bank of Ireland in December 2021, outlines the bank's expectations in outsourcing risk management for regulated financial service providers (RFSPs or firms) to promote higher standards of operational resilience.
The Bank of Spain is the national central bank responsible for regulating Spanish banks. Under the framework of the Single Supervisory Mechanism (SSM), the Bank of Spain along with the European Central Bank is the regulator of the Spanish banking system. Its activities are regulated by the Law of Autonomy of the Bank of Spain.
The Bank of Spain has confirmed its intention to apply EBA Guidelines on ICT and security risk management and EBA Guidelines on outsourcing arrangements, issued by European Banking Authority (EBA) on February 25, 2019, in Spain.
The Hungarian National Bank, or Magyar Nemzeti Bank (MNB), in Hungarian; is the regulatory body of Hungarian financial markets and a member of the European System of Central Banks. MNB oversees credit institutions, securities markets and brokers, fund managers, payment service providers, investment companies, and insurance and reinsurance companies. The primary objective of MNB is to achieve and maintain price stability and use monetary policy to support the government's economic policy.
Government Decree 42/2015 (III.12.) on protecting the information system of financial institutions, insurance undertakings, reinsurance undertakings, investment firms and commodity dealers: Issued by the Hungarian government on January 1, 2016, outlines supervision measures, data protection controls, information security certification procedures, and system integrity inspection and control regulations for protecting the security of information systems of financial institutions, insurance undertakings, reinsurance undertakings, investment firms, and commodity dealers.
The National Bank of Romania (NBR) is the central bank of Romania. Its main objective is to ensure and maintain price stability and support the general economic policy of the government. The main tasks of NBR are to develop and implement the monetary and exchange rate policies, to authorize, regulate, and prudently supervise credit institutions, and to promote and oversee smooth operations of the payment systems to ensure financial stability.
Regulation no. 3/2018 on the monitoring of financial market infrastructures and payment instruments: Issued by the National Bank of Romania on August 1, 2018, sets out requirements on the authorization and supervision of the financial market infrastructure and its managers and participants, as well as the circulation, issuance, and supervision of payment instruments, and payment service providers.
Instructions from 20.01.2020 on outsourcing: Issued by the National Bank of Romania on January 20, 2020, clarifies that payment institutions and electronic money institutions should consider adopting EBA Guidelines on outsourcing arrangements released by the European Banking Authority (EBA) on February 25, 2019.
Federal Financial Supervisory Authority is the German financial industry regulator that centrally regulates banks and financial service providers, insurance companies and securities transactions. Its main objective is to ensure the proper functioning, stability and integrity of the German financial system.
BaFin Guidance on Outsourcing to Cloud Service Providers: Officially released in November 2018. It provides guidance for BaFin and Deutsche Bundesbank to financial institutions on the risk control assessment process and key contract elements for cloud service providers when adopting cloud services.
Circular 10/2017 on The Banking Supervisory Requirements for IT: First released on November 6, 2017 and revised in August 2021, it provides a flexible and practical framework for institutions' technical and organizational resources, especially in IT resource management, information risk management, and information security management.
Circular 11/2019 on Supervisory Requirements for IT in Capital Management Companies: This circular was officially released in October 2019. The circular covers the technical and organizational resources of German capital managers, in particular IT resource management and IT risk management. In addition, it specifies requirements related to organizational requirements, risk management and outsourcing to determine minimum regulatory requirements for information technology for German capital managers.
Circular 10/2018 on Supervisory Requirements for IT in Insurance Undertakings: Officially released in November 2018. Based on the German Insurance Supervision Law, this circular describes the technical and organizational resources that BaFin considers appropriate as IT systems, especially the requirements on information security and information risk management.