Knowledge on information and communication technology and security are included in the fit and proper assessment of the bank’s management body.


On 21 February 2024, the European Central Bank released a supervision newsletter on new policy / its expectation for more bank board expertise on information and communication technology (“ICT”) and security risks (the “Risks”) (the” ECB Expectations”).

The Risks are one of the supervisory priorities for the period 2024-2026.  During its supervision activities, the ECB identified deficiencies in banks’ management bodies regarding the Risks. On this basis, the ECB Expectations aim at assessing collective knowledge on the Risks in the fit and proper assessments of banks’ management bodies.

The ECB Expectations are added to any other fit and proper rules that may be provided at European level (such as Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, DORA) or at national level. They follow the principle of proportionality and are adapted according to the bank's size, risk exposure and management position. They are applied on a case-by-case basis.

At individual level, members of the management body and internal control functions are required to have a sufficient understanding of the Risks. At collective level, the collective suitability of the members of the management body is the main protection against the Risks and thus covers their knowledge, skills and experience relating to the Risks. The ECB Expectations require that the management body should have at least one non-executive member with relevant and recent knowledge of, and expertise in the Risks; the ECB suggests that a 5 years’ experience is adequate.

All members of the management body should attend regular training (at least once a year) to keep up-to-date knowledge and skills. The ECB advises supervised banks to consider organising such training as soon as 2024.

The ECB Expectations apply as of 1 March 2024.

Should you have any questions on the above, please do not hesitate to contact one of our experts in the regulatory team.