The EBA said it had set out the guidelines "in view of the growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions".
According to the guidelines (78-page / 808KB PDF), which will take effect on 1 January 2018, banks can expect national regulators to scrutinise their exposure to risks such as to their system security, business continuity and data integrity, as well as their potential to disrupt the financial system as a whole.
Factors such as the age and complexity of banks' IT systems, whether or not the banks use "innovative ICT solutions", and whether or not they are in the process of updating their IT infrastructure, including as part of merger and acquisition deals, could be relevant to the regulators' assessment.
The guidelines suggested that banks' IT strategies and governance arrangements will also be subject to regulators' scrutiny, and that the firms should have business resilience and continuity plans, ICT security policies and a documented security incident management and escalation process in place, amongst other things.
Regulators should also assess whether banks have measures in place to protect "unauthorised changes" being made to software code they have developed, as well as "an effective framework in place for identifying, understanding and measuring ICT outsourcing risk", it said.
The EBA's guidelines are designed to sit alongside existing guidance that regulators are supposed to follow to assess the operational risk banks are exposed to.
"The growing importance and increasing complexity of ICT risk within the banking industry and in individual institutions, as well as the increasing potential adverse prudential impact from this risk on an institution and on the sector as a whole have prompted the EBA to develop these guidelines on its own initiative to assist competent authorities in their assessment of ICT risk as part of the SREP (Supervisory Review and Evaluation process)," the EBA said.