On 17 October 2022, the European Banking Authority (EBA) published a report setting out its findings following a peer review on information and communication technology (ICT) risk assessment under the supervisory review and evaluation process (SREP).

Key findings from the peer review include:

  • EU competent authorities have largely implemented the EBA’s guidelines on ICT risk assessment under the SREP and applied them in their supervisory practices.
  • EU competent authorities have applied a risk-based approach to the supervision of ICT risk management where the depth and frequency of the assessments correlate with the level of ICT risk of the institutions.
  • No significant concerns were raised regarding supervisory practices on ICT risk management, but the EBA makes a number of general recommendations to further strengthen them.

The peer review also includes recommendations for the EBA to incorporate a number of identified good practices into its guidelines on ICT risk assessment under the SREP. These are to be incorporated when the guidelines are reviewed in the future.