EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)
EIOPA Guidelines (EIOPA-BoS-20/600, issued 12 October 2020, applied from 1 July 2021) on how insurance and reinsurance undertakings should apply the Solvency II governance requirements (Directive 2009/138/EC and Delegated Regulation (EU) 2015/35) to information and communication technology (ICT) security and governance. 25 guidelines covering ICT governance and strategy, ICT and security risk management, information security, ICT operations and change management, business continuity, and outsourcing of ICT services. WITHDRAWN from 17 January 2025, superseded by the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) for EU financial entities.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (5)
EIOPA ICT - Business Continuity Management
| Code | Title |
|---|---|
| EIOPA-ICTSG-GL.19 | Business continuity management |
| EIOPA-ICTSG-GL.20 | Business impact analysis |
| EIOPA-ICTSG-GL.21 | Business continuity planning |
| EIOPA-ICTSG-GL.22 | Response and recovery plans |
| EIOPA-ICTSG-GL.23 | Testing of plans |
| EIOPA-ICTSG-GL.24 | Crisis communications |
EIOPA ICT - Governance and Risk Management
| Code | Title |
|---|---|
| EIOPA-ICTSG-GL.1 | Proportionality |
| EIOPA-ICTSG-GL.2 | ICT within the system of governance |
| EIOPA-ICTSG-GL.3 | ICT strategy |
| EIOPA-ICTSG-GL.4 | ICT and security risks within the risk management system |
| EIOPA-ICTSG-GL.5 | Audit |
EIOPA ICT - ICT Operations and Change Management
| Code | Title |
|---|---|
| EIOPA-ICTSG-GL.14 | ICT operations management |
| EIOPA-ICTSG-GL.15 | ICT incident and problem management |
| EIOPA-ICTSG-GL.16 | ICT project management |
| EIOPA-ICTSG-GL.17 | ICT systems acquisition and development |
| EIOPA-ICTSG-GL.18 | ICT change management |
EIOPA ICT - Information Security
| Code | Title |
|---|---|
| EIOPA-ICTSG-GL.10 | ICT operations security |
| EIOPA-ICTSG-GL.11 | Security monitoring |
| EIOPA-ICTSG-GL.12 | Information security reviews, assessment and testing |
| EIOPA-ICTSG-GL.13 | Information security training and awareness |
| EIOPA-ICTSG-GL.6 | Information security policy and measures |
| EIOPA-ICTSG-GL.7 | Information security function |
| EIOPA-ICTSG-GL.8 | Logical security |
| EIOPA-ICTSG-GL.9 | Physical security |
EIOPA ICT - Outsourcing of ICT Services
| Code | Title |
|---|---|
| EIOPA-ICTSG-GL.25 | Outsourcing of ICT services and ICT systems |
Maps to 2 other frameworks
Frequently Asked Questions
What is EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)?
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) is a compliance framework from European Union (EIOPA) with 5 domains and 25 controls. EIOPA Guidelines (EIOPA-BoS-20/600, issued 12 October 2020, applied from 1 July 2021) on how insurance and reinsurance undertakings should apply the Solvency II governance requirements (Directive 2009/138/EC and Delegated Regulation (EU) 2015/35) to information and communication technology (ICT) security and governance. 25 guidelines covering ICT governance and strategy, ICT and security risk management, information security, ICT operations and change management, business continuity, and outsourcing of ICT services. WITHDRAWN from 17 January 2025, superseded by the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) for EU financial entities. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) have?
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) has 25 controls organised across 5 domains. The largest domains are EIOPA ICT - Information Security (8 controls), EIOPA ICT - Business Continuity Management (6 controls), EIOPA ICT - Governance and Risk Management (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) map to?
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) maps to 2 other compliance frameworks. The top mapping partners are DORA (60% coverage), NIST Cybersecurity Framework 2.0 (16% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) compliance?
Start your EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 25 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required