EBA Guidelines on ICT & Security Risk

What Are the EBA Guidelines on ICT and Security Risk Management


The European Banking Authority (EBA) is an independent agency of the European Union that, among other tasks, issues guidelines on cybersecurity that EU banks must consider.

The most important cybersecurity-related guidelines so far include the EBA Guidelines on ICT and Security Risk Management. They focus on:

  • Cybersecurity governance by establishing a strong, risk-based approach to managing cybersecurity within the organization.
  • Incident management by proactive identification, reporting, and response to security incidents.
  • Vulnerability management (meaning continuously identifying and patching vulnerabilities in software and systems.)
  • Access control by implementing strong controls to restrict access to sensitive data and systems.
  • Data security by protecting confidential customer and bank data from unauthorized access, disclosure, or alteration.
  • Supply chain security, which means managing cybersecurity risks associated with third-party vendors and services.

MergeBase and the EBA Guidelines on ICT and Security Risk Management


We are not an EU bank, so these guidelines are irrelevant to our work. However, we can help you comply with them if you are required to.


How Can MergeBase Help You Comply with the EBA Guidelines on ICT and Security Risk Management?


In terms of the EBA Guidelines on ICT and Security Risk Management, MergeBase can be beneficial for the following:

  • Vulnerability Management. The EBA guidelines place significant emphasis on identifying and patching vulnerabilities in IT systems. MergeBase excels in this area by continuously scanning open-source components used in applications for vulnerabilities and providing automated patching options. This directly aligns with the guidelines’ requirements for proactive risk management and vulnerability mitigation.

  • Incident Response. MergeBase can contribute to the incident response process by providing information about vulnerabilities exploited in attacks and potentially suggesting remediation steps. This can facilitate faster analysis and response to security incidents, as required by the EBA guidelines.

  • Supply Chain Security. The guidelines stress the importance of managing cybersecurity risks associated with third-party vendors. MergeBase’s focus on open-source vulnerabilities within applications can indirectly enhance supply chain security by providing insights into potential issues with vendor-supplied software components.