Boulevard de Bedaimont 14-BE-1000 BrusselsPhone +32 2 221 48 66Company number: 0203. 201. 340RPM (Trade Register) Bmsselswww. nbb. be

rtl BanqueNatipnaleBankDEBELCIQUE VAN BELGtE

Eurosystem

Circular

Brussels, 16 June 2020

Reference:

Contact person:

Thomas Plomteux

Phone +32 2 221 21 97

thomas. plomteux@nbb. be

NBB 2020 23

European Banking Authority (EBA) Guidelines of 29 November 2019 on ICT1 and security riskmanagement (EBA/GL/2019/04)

. Credit institutions and stockbroking firms governed by Belgian law;

. branches established in Belgium of credit institutions and stockbroking firms governed bythe law of a non-EEA Member State;

. payment institutions and electronic money institutions governed by Belgian law;

. branches established in Belgium of payment institutions and electronic money institutionsgoverned by the law of a non-EEA Member State2:

. in the context of consolidated supervision, group supen/ision or supplementaryconglomerate supervision, financial holding companies and mixed financial holdingcompanies.

Summarv/Obiectives

This Circular implements the Guidelines of the European Banking Authority(hereinafter referred to as the "EBA") on ICT and security risk management (EBA/GL/2019/04)3and applies from 30 June 2020. This Circular replaces Circular NBB_2018_13, which ceases toapply from that date.

1 Information and communication technology.2 Assuming that the legal provision of which the content is specified here is made applicable to the branches

concerned.

3 httDs://eba. euroDa. eu/requlation-and-policv/intemal-aovemance/Quidelines-on-ict-and-securitv-risk-management.NBB 2020 23 - 16062020 Circular - Page 1/3

mDear Sir,

Dear Madam,

1. Introduction and motivation

Through this Circular, the NBB indicates that the EBA Guidelines on ICT and security risk managementhave been integrated in its supervisory practices. These Guidelines aim to guarantee adequate ICT andsecurity management in the financial sector in the European Union and to ensure a level playing field inthis area for financial institutions. Among other things, these Guidelines include provisions on governanceand strategy, ICT and security risk management, information security, ICT operations management, ICTproject and change management, and business continuity management.

Thus, this Circular clarifies the National Bank of Belgium's expectations regarding the implementation ofthe following provisions:

. Articles 21 of the Law of 25 April 2014 on the legal status and supervision of credit institutions andstockbroking firms ("the Banking Law of 25 April 2014") and 21 and 176 of the Law of11 March 2018 on the legal status and supervision of payment institutions and electronic moneyinstitutions, access to the activity of payment service provider and the activity of issuing electronicmoney, and access to payment systems ("the Payment Services Law of 11 March 2018") inrelation to the obligation to have a sound and appropriate arrangement for the organisation of thebusiness4;

. Articles 50 through 53 and 145 of the Law of 11 March 20185 in relation to the security risks for theprovision of payment sen/ices and the issuance of electronic money.

Pursuant to Article 168 of the Banking Law, these requirements also apply on a consolidated basis toBelgian parent credit institutions and to credit institution governed by Belgian law that are controlled by aparent financial holding company or a parent mixed financial holding company. In this context, financialholding companies and mixed financial holding companies governed by Belgian law are therefore alsoexpected to comply with this Circular on a consolidated basis.

4 Among other things, these Articles mention:. an appropriate management structure, including a clear, transparent and coherent arrangement for allocating

responsibilities;. effective procedures for the identification, measurement, management, monitoring and internal reporting of

the financial institution's risks;

. an appropriate independent risk management function and internal audit function;

. appropriate IT control and security measures;

. the introduction of appropriate measures for business continuity to guarantee that the critical/essentialbusiness functions can be preserved or restored as quickly as possible and that the normal provision ofservices and activities can be resumed within a reasonable timeframe.

5 Articles 50 through 53 and Article 145 of the Payment Services Law clarify that each payment service provider isexpected to establish a security policy as well as procedures for reporting incidents.

Circular - Page 213 NBB_2020^23 - 16062020

m

2. Clarifications on the scope and implementation

When referring to "financial institutions", the EBA Guidelines and this Circular apply to:. payment service providers (payment institutions, electronic money institutions and credit

institutions) with respect to the provision of payment services;. credit institutions with respect to any of their activities other than payment services;

. stockbroking firms with respect to any of their activities.

Some provisions and clarifications in the Guidelines are aimed exclusively at payment service providers,credit institutions or "investment firms", For the scope of this Circular, "investment firms" should be read as

stockbroking firms.

This Circular applies from 30 June 2020 and replaces Circular NBB_2018_13, which is repealed from thatdate.

The EBA Guidelines should be read and applied in conjunction with the provisions of the following Circulars:

. Circular NBB_2019_19, which defines the general expectations regarding outsourcing for thisscope;

» Circular NBB_2015_32, which applies specifically to systemically important financial institutions;

. Circular CBFA_2009_17, which includes additional provisions for offering financial services(excluding payment services) via the Internet (inter alia for credit institutions and stockbrokingfirms);

. Circular PPB 2005/2, which includes additional provisions for business continuity management

(inter alia for credit institutions and stockbroking firms);

. Circular NBB_2019_09, which establishes the reporting on operational and security risks ofpayment services to be submitted by credit institutions and branches of credit institutions;

. Circular NBB_2020_24, which establishes the reporting on operational and security risks of

payment services to be submitted by payment institutions and electronic money institutions.

A copy of this Circular will be sent to your institution's accredited statutory auditor(s).

Yours faithfully,

NBB 2020 23 - 16062020 Circular - Page 3/3