Solvency II Directive (2009/138/EC) — ICT and Security Risk — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each Solvency II requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseArt.41(1) System of governance — general governance requirements
Rationale
AC-01, CA-01, PL-01 establish organisational security policies and planning. PM-01 programme plan and PM-02 senior information security role provide governance structure. PL-09 (Rev 5) central management enables unified governance across controls. PM-29 (Rev 5) risk management programme leadership ensures senior engagement. These collectively address the requirement for an effective system of governance with a clear organisational structure and well-defined responsibilities.
Gaps
Solvency II Art. 41 requires an effective system of governance providing for sound and prudent management, with a transparent organisational structure, clear allocation and appropriate segregation of responsibilities, and an effective system for ensuring the transmission of information. SP 800-53 covers security governance but not the broader prudential governance mandate — particularly the administrative, management, and supervisory body (AMSB) accountability, fit and proper requirements, and the insurance-specific governance expectations. The requirement for proportionality based on the nature, scale, and complexity of the undertaking's operations is not addressed.
Art.41(3) System of governance — written policies
Rationale
SP 800-53 requires documented policies across all 20 control families (AC-01, AT-01, AU-01, CA-01, CM-01, CP-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SC-01, SI-01, SR-01). This comprehensively addresses the requirement for written policies covering risk management, internal control, internal audit, and outsourcing at a technical control level.
Gaps
Solvency II Art. 41(3) requires written policies on risk management, internal control, internal audit, outsourcing, and — where relevant — remuneration. SP 800-53 covers security-relevant policies thoroughly but does not address remuneration policy, actuarial function policy, or the requirement that policies be approved by the AMSB and reviewed at least annually. The EIOPA system of governance guidelines further specify that policies must form a coherent whole.
Art.42 Fit and proper requirements for persons running the undertaking
Rationale
PS-01 personnel security policy, PS-02 position risk designation, PS-03 personnel screening, PS-06 access agreements, and PS-09 (Rev 5) position descriptions collectively address personnel vetting and role-based security responsibilities. PS-09 links security requirements to position descriptions, partially addressing the competence dimension.
Gaps
Solvency II Art. 42 requires all persons who effectively run the undertaking or hold key functions to be fit (professionally competent with appropriate knowledge and experience) and proper (good repute and integrity). This extends to qualifying holdings assessment. SP 800-53 personnel security controls cover screening and access but do not address the insurance-specific fit and proper regime, ongoing assessment of competence, or the regulatory notification requirements when key function holders change. The CRD/Solvency II 'fit and proper' standard is substantially more demanding than personnel screening.
Art.44(1) Risk management — effective risk management system
Rationale
PM-01 programme plan, PM-28 (Rev 5) risk framing, and PM-29 (Rev 5) risk management programme leadership establish risk management structure and senior leadership engagement. RA-01 risk assessment policy, RA-03 risk assessment, and RA-07 (Rev 5) risk response provide the assessment-treatment lifecycle. RA-09 (Rev 5) criticality analysis identifies critical components. PL-09 central management, PL-10 baseline selection, and PL-11 baseline tailoring enable systematic risk-based control selection.
Gaps
Solvency II Art. 44 requires an effective risk management system comprising strategies, processes, and reporting procedures to continuously identify, measure, monitor, manage, and report risks — including operational risk and IT risk. The risk management system must cover all risks to which the undertaking is or could be exposed, with specific mention of underwriting, reserving, asset-liability management, investment, liquidity, concentration, and operational risk. SP 800-53 covers IT/security risk well but not the broader enterprise risk management mandate, particularly insurance-specific risk categories. The requirement for a risk management function independent from operational functions is not addressed.
Art.44(2) Risk management — coverage of risks including operational risk
Rationale
RA-01, RA-02, RA-03, and RA-07 (Rev 5) provide risk assessment and treatment across all categorised systems. PM-08 critical infrastructure plan, PM-09 risk management strategy, PM-11 mission and business process definition, and PM-28 (Rev 5) risk framing support enterprise-wide risk identification. These address the operational risk dimension including IT risk.
Gaps
Solvency II Art. 44(2) enumerates risk areas including underwriting and reserving risk, asset-liability management risk, investment risk, liquidity risk, concentration risk, operational risk, reinsurance, and other risk mitigation techniques. SP 800-53 addresses operational/IT risk adequately but has no coverage of insurance-specific risk categories. The requirement to integrate IT risk into the broader operational risk framework is an insurance-specific expectation not present in SP 800-53.
Art.45 Own Risk and Solvency Assessment (ORSA)
Rationale
CA-02 security assessments, CA-05 plan of action and milestones, and CA-07 continuous monitoring provide ongoing assessment capabilities. PM-09 risk management strategy and PM-28 (Rev 5) risk framing address organisational risk posture. RA-03 risk assessment, RA-07 (Rev 5) risk response, and RA-09 (Rev 5) criticality analysis support the self-assessment dimension for IT/operational risk. These partially address the ORSA requirement to assess the overall solvency needs taking into account the specific risk profile.
Gaps
The ORSA is a fundamental Solvency II Pillar 2 requirement obliging undertakings to assess their overall solvency needs, compliance with capital requirements, and deviation of their risk profile from the Solvency Capital Requirement assumptions — on an ongoing basis. SP 800-53 supports IT risk self-assessment but has no concept of solvency self-assessment, capital adequacy testing, forward-looking risk projections, stress testing, or the ORSA supervisory report. The ORSA integrates actuarial, financial, and operational risk in a way that is fundamentally outside SP 800-53 scope.
Art.46 Internal control — compliance function
Rationale
AU-01 audit policy and AU-06 audit review and analysis provide audit and monitoring foundations. CA-02 security assessments and CA-07 continuous monitoring support compliance verification. PM-04 plan of action and milestones process, PM-06 measures of performance, and PM-14 testing and evaluation address programme assessment. CA-05 plan of action and milestones tracks remediation of identified compliance deficiencies.
Gaps
Solvency II Art. 46 requires an effective internal control system including administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels, and a compliance function that advises the AMSB on compliance with laws, regulations, and administrative provisions. SP 800-53 covers security-specific internal controls but does not address the broader internal control system (financial controls, accounting procedures), the dedicated compliance function, or the advisory role to the AMSB on legal and regulatory compliance. The requirement for the compliance function to assess the possible impact of changes in the legal environment is not covered.
Art.47 Internal audit function
Rationale
CA-02 security assessments and CA-07 continuous monitoring provide audit-like assessment capabilities. PM-06 measures of performance and PM-14 testing, training, and monitoring address evaluation of security programme effectiveness. CA-05 plan of action and milestones tracks audit findings through remediation.
Gaps
Solvency II Art. 47 requires an effective internal audit function that is objective, independent from operational functions, and reports its findings and recommendations to the AMSB. The internal audit function must evaluate the adequacy and effectiveness of the entire internal control system and the elements of the system of governance. SP 800-53 provides security assessments but does not require an independent internal audit function, AMSB reporting of audit findings, or audit coverage of the full governance system. The independence and direct reporting line requirements are specific to Solvency II.
Art.48 Actuarial function 0%
Rationale
No SP 800-53 controls address actuarial functions or actuarial modelling.
Gaps
Solvency II Art. 48 requires an effective actuarial function to coordinate the calculation of technical provisions, ensure the appropriateness of methodologies, models, and assumptions, assess the sufficiency and quality of data, compare best estimates against experience, and inform the AMSB on the reliability and adequacy of technical provisions calculations. This is entirely outside the scope of SP 800-53 as it concerns actuarial science and insurance-specific prudential requirements.
Art.49(1) Outsourcing — general requirements and oversight
Rationale
AC-20 use of external systems, SA-04 acquisition process, SA-09 external information system services, and SR-01 through SR-06 supply chain risk management provide a comprehensive third-party risk foundation. PS-07 third-party personnel security and SA-21 (Rev 5) developer screening address personnel at third-party providers. SR-05 acquisition strategies and SR-06 supplier assessments enable ongoing monitoring and oversight.
Gaps
Solvency II Art. 49 requires that outsourcing does not lead to undue additional operational risk, does not impair the ability of supervisory authorities to monitor compliance, and does not undermine continuous and satisfactory service to policyholders. Undertakings must notify their supervisory authority prior to outsourcing critical or important operational activities. SP 800-53 supply chain controls address vendor risk comprehensively but do not require supervisory notification, maintain the insurance-specific non-delegation of regulatory responsibility, or address the specific policyholder service continuity requirement.
Art.49(2) Outsourcing — critical or important operational activities or functions
Rationale
RA-09 (Rev 5) criticality analysis identifies critical functions and components. SA-04, SA-09 provide acquisition and external service governance. SR-01 through SR-03 establish supply chain policy and risk management plans. SR-06 supplier assessments and reviews and SR-10 inspection of systems or components support ongoing oversight of critical outsourced functions.
Gaps
Solvency II Art. 49(2) imposes enhanced requirements when outsourcing critical or important functions: the undertaking must ensure service quality, adequate oversight, and specifically must notify the supervisory authority in a timely manner. Written agreements must cover the provider's obligations. SP 800-53 supports criticality assessment and vendor oversight but does not require regulatory notification for critical outsourcing, specific written agreements with regulatory access provisions, or the Solvency II standard for determining which activities are 'critical or important.'
Art.49(3) Outsourcing — data protection and confidentiality
Rationale
AC-04 information flow enforcement and SC-08 transmission confidentiality and integrity protect data in transit. SC-28 protection of information at rest addresses stored data. PT-01 through PT-04 (Rev 5) privacy controls cover authority to collect, consent, purpose specification, and privacy notice. SA-09 external information system services includes confidentiality requirements. SI-12 information management and retention addresses data handling.
Gaps
Solvency II Art. 49(3) with EIOPA cloud outsourcing guidelines requires undertakings to take all steps necessary to ensure that data protection and confidentiality are maintained, including compliance with GDPR and national data protection laws. SP 800-53 privacy and data protection controls are comprehensive at a technical level but do not address EU data protection regulation specifics, cross-border data transfer restrictions (Schrems II implications), or the insurance-specific duty to protect policyholder data under the Solvency II governance framework.
DR.258 Delegated Regulation Art. 258 — general governance requirements
Rationale
AC-01, AT-01, CA-01, PL-01 provide foundational policy controls. PL-09 (Rev 5) central management enables unified governance. PM-01 programme plan, PM-02 senior ISC role, and PM-29 (Rev 5) risk management leadership address governance structure. PS-01 personnel security policy and PS-09 (Rev 5) position descriptions link governance roles to security responsibilities and incorporate security into role definitions.
Gaps
Delegated Regulation Art. 258 requires documented policies approved by the AMSB, at least annually reviewed, covering all key function areas. Policies must be coherent and adapted to business strategy. SP 800-53 provides extensive policy framework but does not address AMSB approval requirements, annual review cycles mandated by the regulation, or the requirement that governance policies be coherent across the four key functions (risk management, compliance, internal audit, actuarial). The fit and proper assessment for key function holders is outside scope.
DR.259 Delegated Regulation Art. 259 — remuneration policy 0%
Rationale
No SP 800-53 controls address remuneration, compensation, or incentive structures.
Gaps
Delegated Regulation Art. 259 requires a remuneration policy that promotes sound and effective risk management and does not encourage risk-taking that exceeds the risk tolerance of the undertaking. The policy must cover variable and fixed components, performance criteria, and governance of remuneration decisions. This is entirely outside SP 800-53 scope, which addresses information security controls rather than human resources or compensation governance.
DR.260 Delegated Regulation Art. 260 — risk management function
Rationale
PM-01 programme plan, PM-02 senior ISC role, PM-09 risk management strategy, PM-28 (Rev 5) risk framing, and PM-29 (Rev 5) risk management programme leadership address the organisational structure for risk management. RA-01, RA-03, and RA-07 (Rev 5) provide the risk assessment and response cycle.
Gaps
Delegated Regulation Art. 260 requires the risk management function to be structured to facilitate the implementation of the risk management system, with sufficient authority and independence from risk-taking functions. The risk management function must be able to challenge risk-taking activities and have direct access to the AMSB. SP 800-53 supports risk management structure but does not require the function's independence from operational risk-taking, direct AMSB access, or the challenge function role. The integration of IT risk with broader enterprise risk management is not addressed.
DR.266 Delegated Regulation Art. 266 — operational risk management including IT risk
Rationale
This is the primary Solvency II provision addressing IT risk. Comprehensive policy coverage via AC-01, AT-01, CA-01, CM-01, CP-01, IA-01, IR-01, SA-01, SC-01, SI-01. AT-02, AT-03 address training. CA-02 security assessments. CM-02, CM-06 configuration management. CP-01, CP-02 continuity planning. IR-04 incident handling. PM-01, PM-08, PM-09, PM-11 programme management. RA-01, RA-03, RA-05 risk assessment and vulnerability scanning. SI-02 flaw remediation. This provides strong alignment with the IT risk dimensions of operational risk management.
Gaps
Delegated Regulation Art. 266 requires that operational risk management cover exposures arising from inadequate or failed internal processes, people, and systems, or from external events — including IT risk, legal risk, and compliance risk. SP 800-53 covers the IT systems and security processes dimension comprehensively. Gaps remain in: legal risk management, compliance risk management (non-IT), process failure risk beyond IT, and people risk beyond security personnel controls. The requirement to link operational risk exposure to the Solvency Capital Requirement calculation is entirely outside scope.
DR.266-BCP Delegated Regulation Art. 266 — business continuity and disaster recovery
Rationale
CP-01 contingency planning policy, CP-02 contingency plan, CP-03 training, CP-04 testing, CP-06 alternate storage, CP-07 alternate processing, CP-08 telecommunications, CP-09 backup, CP-10 recovery and reconstitution provide comprehensive BCP/DR coverage. CP-12 safe mode enables degraded operation maintaining essential services. CP-13 alternative security mechanisms provides fallback controls during disruption.
Gaps
Delegated Regulation Art. 266 requires business continuity plans addressing IT disruption and disaster recovery procedures ensuring the continuity of critical processes. SP 800-53 CP family provides strong BCP/DR coverage. Minor gaps: the regulation requires BCP to be integrated with the broader undertaking's continuity planning (not just IT), annual BCP testing with senior management involvement, and explicit policyholder service continuity — none of which are SP 800-53 requirements.
DR.266-DataSec Delegated Regulation Art. 266 — data security and information classification
Rationale
AC-03, AC-04 access enforcement and information flow. AC-16 automated labelling and CM-12 (Rev 5) information location provide data classification and tracking. CM-08 component inventory. MP-01 through MP-06 media protection lifecycle. RA-02 security categorisation establishes classification scheme. SC-08 transmission integrity, SC-12/SC-13 cryptographic key/protection, SC-28 protection at rest provide data-in-transit and data-at-rest security. SI-12 information management and retention.
Gaps
Delegated Regulation Art. 266 requires data security measures including information classification and protection of data in transit, at rest, and during processing. SP 800-53 provides comprehensive coverage. Minor gaps: the regulation requires classification aligned with the undertaking's risk appetite and policyholder data sensitivity, and specific handling rules for insurance-specific data categories (claims data, medical data, underwriting data).
DR.267 Delegated Regulation Art. 267 — investment risk management
Rationale
PM-09 risk management strategy and RA-03 risk assessment provide general risk management frameworks that could inform investment risk management at a high level. However, investment risk management is fundamentally a financial risk discipline.
Gaps
Delegated Regulation Art. 267 requires sound investment risk management procedures covering asset-liability matching, concentration risk, derivative use, securitisation, and investment in non-transparent assets. SP 800-53 does not address financial investment risk, asset-liability management, or prudent person principle requirements. Only tangential IT risk aspects of investment management systems are covered.
DR.272 Delegated Regulation Art. 272 — outsourcing policy
Rationale
SR-01 supply chain policy, SR-02 supply chain risk plan, SR-03 supply chain controls, SR-04 provenance, SR-05 acquisition strategies, SR-06 supplier assessments, SR-07 supply chain operations security, SR-08 notification agreements, SR-10 inspection, and SR-11 component authenticity provide comprehensive supply chain governance. AC-20 external systems, PS-07 third-party personnel, SA-04 acquisitions, and SA-09 external services address specific outsourcing controls.
Gaps
Delegated Regulation Art. 272 requires a written outsourcing policy covering selection criteria, due diligence procedures, ongoing monitoring, documentation, and contingency planning for outsourced activities. Critical or important function outsourcing requires AMSB approval and supervisory notification. SP 800-53 supply chain controls are extensive but do not address AMSB approval workflows, supervisory notification, policyholder service impact assessment, or the specific distinction between critical and non-critical outsourcing with differentiated governance requirements.
DR.274 Delegated Regulation Art. 274 — contingency plans for outsourcing
Rationale
CP-02 contingency plan and CP-04 contingency plan testing address business continuity for disrupted services. SA-09 external information system services governs third-party relationships. SR-01 supply chain policy and SR-12 component disposal address exit planning.
Gaps
Delegated Regulation Art. 274 requires undertakings to develop contingency plans and exit strategies for outsourced critical or important functions, ensuring that service can continue or be brought back in-house or transferred to another provider without disruption to policyholders. SP 800-53 covers contingency planning and component disposal but does not address the specific exit strategy requirements including transition periods, data migration plans, reversibility testing, or the policyholder continuity mandate.
EIOPA-Cloud-GL3 EIOPA Cloud Outsourcing Guidelines — due diligence and risk assessment
Rationale
RA-03 risk assessment and RA-09 (Rev 5) criticality analysis support pre-outsourcing risk evaluation. SA-04 acquisition process and SA-09 external services govern cloud service procurement. AC-20 use of external systems. SR-02 through SR-06 supply chain risk management plan, controls, provenance, acquisition strategies, and supplier assessments address ongoing cloud vendor governance.
Gaps
EIOPA-BoS-20/002 Guideline 3 requires comprehensive pre-outsourcing risk assessment including assessment of concentration risk, data location and processing jurisdiction, portability and interoperability, and subcontracting chains. SP 800-53 supports vendor risk assessment but does not address EU data sovereignty requirements, cloud concentration risk, insurance-specific risk assessment criteria, or the EIOPA requirement to consider the impact on the undertaking's risk profile and solvency position.
EIOPA-Cloud-GL7 EIOPA Cloud Outsourcing Guidelines — access and audit rights
Rationale
CA-02 security assessments, SR-06 supplier assessments and reviews, and SR-10 inspection of systems or components provide assessment and audit capabilities over third-party providers.
Gaps
EIOPA-BoS-20/002 Guideline 7 requires contractual access and audit rights including: the right to conduct on-site and off-site audits of the cloud service provider, access to audit reports (e.g., ISAE 3402, SOC 2), the right to designate third parties as auditors, and cooperation with supervisory authorities including unrestricted access. SP 800-53 provides assessment and inspection controls but does not mandate specific contractual audit clauses, supervisory authority access provisions, or the right to pool audits with other undertakings as EIOPA recommends.
EIOPA-Cloud-GL9 EIOPA Cloud Outsourcing Guidelines — data protection and data location
Rationale
AC-04 information flow enforcement. CM-12 (Rev 5) information location identifies where data resides. PT-01 through PT-04 (Rev 5) privacy controls address data processing authority, consent, and transparency. SC-08 transmission integrity and SC-28 protection at rest. SI-12 information management and retention.
Gaps
EIOPA-BoS-20/002 Guideline 9 requires knowledge of data location (including backups and metadata), data encryption, assessment of the legal framework in the country of data processing, and measures addressing risks of foreign government access to data. SP 800-53 provides data location tracking and encryption but does not address EU data sovereignty (post-Schrems II), transfer impact assessments, GDPR transfer mechanisms (SCCs, BCRs), or the specific insurance supervisory requirement for data to remain accessible to NCAs. The interaction between cloud data location and policyholder data protection obligations is not covered.
EIOPA-Cloud-GL11 EIOPA Cloud Outsourcing Guidelines — exit strategies and portability
Rationale
CP-02 contingency plan addresses continuity during transition. SA-09 external information system services and SR-01 supply chain policy provide general governance. SR-12 component disposal addresses exit activities.
Gaps
EIOPA-BoS-20/002 Guideline 11 requires exit strategies for cloud outsourcing including: documented exit plan, transition periods, data migration and portability provisions, continued service during transition, secure deletion upon exit, and regular testing of exit plans. SP 800-53 covers contingency planning and disposal but does not address data portability, transition planning, cloud-specific exit testing, or the insurance-specific requirement to maintain policyholder service continuity during provider transitions.
EIOPA-ICT-4.1 EIOPA ICT Guidelines — ICT governance and strategy
Rationale
PL-01 security planning policy and PL-02 system security plans address planning. PM-01 programme plan, PM-02 senior ISC role, and PM-29 (Rev 5) risk management programme leadership establish governance structure. PM-03 capital planning and SA-02 allocation of resources address budgeting for ICT. PL-09 (Rev 5) central management supports unified ICT strategy oversight.
Gaps
EIOPA-BoS-20/600 Guideline 4.1 requires an ICT strategy approved by the AMSB, aligned with the business strategy, and periodically reviewed. The strategy must address ICT evolution, budget, third-party dependencies, and ICT risk appetite. SP 800-53 covers planning and resource allocation but lacks the concept of a board-approved ICT strategy document, explicit business-ICT alignment, or insurance-specific ICT strategic planning requirements.
EIOPA-ICT-4.2 EIOPA ICT Guidelines — ICT risk management framework
Rationale
Comprehensive risk management framework support via RA-01, RA-03, RA-07 (Rev 5) risk response, and RA-09 (Rev 5) criticality analysis. PM-01 programme plan, PM-09 risk management strategy, and PM-28 (Rev 5) risk framing establish risk management structure. CA-02 assessments and CA-07 continuous monitoring support ongoing framework evaluation. PL-09, PL-10, PL-11 (Rev 5) enable systematic risk-based control selection and central management.
Gaps
EIOPA-BoS-20/600 Guideline 4.2 requires an ICT risk management framework integrated into the overall risk management framework, with three lines of defence, independent ICT risk function, and AMSB oversight. SP 800-53 covers risk assessment, response, and monitoring well. Gaps: three lines of defence model, independent ICT risk function requirement, insurance-specific risk appetite integration, and the AMSB reporting obligations for ICT risk.
EIOPA-ICT-4.3 EIOPA ICT Guidelines — ICT asset management and classification
Rationale
CM-08 component inventory and CM-12 (Rev 5) information location provide asset identification and tracking. CM-13 (Rev 5) data action mapping documents data processing flows. AC-16 security attribute labelling and RA-02 security categorisation enable classification. RA-09 (Rev 5) criticality analysis identifies critical components supporting business functions. SA-05 system documentation.
Gaps
EIOPA-BoS-20/600 Guideline 4.3 requires undertakings to identify, register, and classify all ICT assets, mapping them to business functions and services. SP 800-53 provides strong coverage via CM-08, CM-12, CM-13, and RA-09. Minor gaps: the EIOPA requirement for explicit business function-to-ICT asset mapping with dependencies, and the insurance-specific requirement to identify assets supporting policyholder-facing services.
EIOPA-ICT-4.4 EIOPA ICT Guidelines — logical security and access control
Rationale
Comprehensive access control via AC-01 through AC-07 (policies, account management, access enforcement, separation of duties, least privilege, unsuccessful attempts), AC-11 session lock, AC-12 session termination, AC-17 remote access. Complete identification and authentication via IA-01 through IA-05 (policy, user/device auth, identifier and authenticator management), IA-08 non-organisational users, and IA-12 identity proofing. Excellent coverage of the logical security requirements.
Gaps
EIOPA-BoS-20/600 Guideline 4.4 requires logical security controls including access management, strong authentication, privileged access management, and access reviews. SP 800-53 provides comprehensive coverage. Minimal gaps: the EIOPA guideline specifically requires periodic access recertification reviews aligned with HR processes and insurance-specific access requirements for claims, underwriting, and actuarial systems.
EIOPA-ICT-4.5 EIOPA ICT Guidelines — physical security
Rationale
PE-01 physical and environmental policy. PE-02 through PE-06 access authorisation, access control, access control for transmission, delivery/removal, monitoring. PE-08 visitor access records. PE-09, PE-10 power equipment and cabling. PE-11 through PE-15 emergency shutoff, lighting, fire protection, environmental controls, water damage. PE-17 alternate work site and PE-18 location of system components. Comprehensive physical security coverage.
Gaps
EIOPA-BoS-20/600 Guideline 4.5 requires physical security measures for ICT systems and data centres. SP 800-53 PE family provides extensive coverage. Minimal gap: the EIOPA guideline requires physical security measures proportionate to the criticality of the ICT systems and aligned with the undertaking's risk appetite — this proportionality lens is absent from SP 800-53.
EIOPA-ICT-4.6 EIOPA ICT Guidelines — network security
Rationale
AC-04 information flow enforcement. AC-17 through AC-19 remote, wireless, and mobile access. CA-03 system connections authorisation. SC-02, SC-03 application/function isolation. SC-05 denial of service protection. SC-07 boundary protection. SC-08 transmission integrity. SC-20 through SC-22 DNS and name resolution. SC-46 (Rev 5) cross-domain policy enforcement and SC-47 (Rev 5) alternate communications safeguards strengthen network resilience.
Gaps
EIOPA-BoS-20/600 Guideline 4.6 requires network security measures including segmentation, monitoring, and protection of data in transit. SP 800-53 provides comprehensive network security coverage. Minimal gap: the guideline requires network security to be aligned with the ICT risk appetite and specifically address insurance distribution channels and policyholder-facing network services.
EIOPA-ICT-4.7 EIOPA ICT Guidelines — cryptography and key management
Rationale
IA-07 cryptographic module authentication. SC-08 transmission confidentiality and integrity. SC-12 cryptographic key establishment and management. SC-13 cryptographic protection. SC-17 public key infrastructure certificates. SC-28 protection of information at rest. Together these provide comprehensive cryptographic control coverage.
Gaps
EIOPA-BoS-20/600 Guideline 4.7 requires appropriate cryptographic measures based on data classification and risk assessment. SP 800-53 cryptographic controls are comprehensive. Minimal gap: the EIOPA guideline requires cryptographic standards aligned with the undertaking's data classification scheme and policyholder data protection obligations under GDPR.
EIOPA-ICT-4.8 EIOPA ICT Guidelines — ICT operations management
Rationale
CM-02 through CM-07 configuration management (baseline, change control, impact analysis, access restrictions, settings, least functionality). CM-14 (Rev 5) signed components ensures integrity of changes. MA-01 through MA-03, MA-06 maintenance policies, scheduling, tools, and timely maintenance. SI-02 flaw remediation and SI-07 software integrity verification. SI-13 (Rev 5) predictive maintenance enables proactive system management.
Gaps
EIOPA-BoS-20/600 Guideline 4.8 requires ICT operations management including change management, patch management, capacity planning, and system monitoring. SP 800-53 covers change and configuration management comprehensively. Minor gaps: the EIOPA guideline specifically requires capacity management aligned with business projections, formal change advisory board processes, and insurance-specific operational SLA management.
EIOPA-ICT-4.9 EIOPA ICT Guidelines — ICT incident and problem management
Rationale
IR-01 incident response policy, IR-02 training, IR-03 testing, IR-04 incident handling, IR-05 monitoring, IR-06 reporting, IR-07 assistance, IR-08 incident response plan. IR-09 (Rev 5) information spillage response adds data breach handling. AU-06 audit review and analysis, SI-04 system monitoring, and SI-05 security alerts support detection and triage.
Gaps
EIOPA-BoS-20/600 Guideline 4.9 requires ICT incident management processes including classification, escalation, root cause analysis, and reporting to the AMSB and supervisory authorities for significant incidents. SP 800-53 IR family covers incident handling well. Gaps: EIOPA requires specific incident classification criteria aligned with the undertaking's risk appetite, AMSB reporting for significant incidents, supervisory reporting within defined timescales, problem management (distinct from incident management), and post-incident reviews feeding into the risk management framework.
EIOPA-ICT-4.10 EIOPA ICT Guidelines — business continuity management
Rationale
CP-01 contingency planning policy, CP-02 contingency plan, CP-03 training, CP-04 testing, CP-06 alternate storage, CP-07 alternate processing, CP-08 telecommunications, CP-09 backup, CP-10 recovery. CP-12 safe mode and CP-13 alternative security mechanisms support resilient operations. SC-24 (Rev 5) fail in known state ensures predictable recovery.
Gaps
EIOPA-BoS-20/600 Guideline 4.10 requires business continuity management integrated with the undertaking's BCP, with defined RTOs and RPOs for critical functions, regular testing (at least annually), and crisis communication plans. SP 800-53 CP family covers IT continuity well. Gaps: the EIOPA requirement to set insurance-specific RTOs/RPOs (e.g., claims processing, policy administration continuity), AMSB involvement in BCP testing, crisis communication to policyholders, and integration with the undertaking's broader (non-IT) business continuity plans.
EIOPA-ICT-4.11 EIOPA ICT Guidelines — ICT project management and change
Rationale
CM-03 configuration change control, CM-04 impact analysis, CM-05 access restrictions for change. CM-14 (Rev 5) signed components for change integrity. SA-03 system development lifecycle, SA-08 security and privacy engineering, SA-10 developer configuration management, SA-11 developer testing and evaluation, SA-15 development process standards and tools, SA-17 developer security and privacy architecture and design.
Gaps
EIOPA-BoS-20/600 Guideline 4.11 requires ICT project management and change processes with risk assessment, AMSB oversight for significant projects, segregation of development/test/production environments, and post-implementation reviews. SP 800-53 covers SDLC and change management well. Gaps: formal project governance with AMSB oversight, mandatory segregation of environments (not just recommended), and the specific post-implementation review requirement.
Pillar3-Reporting Pillar 3 — supervisory reporting and public disclosure (data integrity)
Rationale
AU-02, AU-03 auditable events and content of audit records ensure reporting data traceability. AU-09 protection of audit information and AU-10 non-repudiation support reporting integrity. AU-11 audit record retention preserves reporting evidence. SI-07 software and information integrity verification, SI-10 information input validation, and SI-12 information management and retention address data quality for reporting systems.
Gaps
Solvency II Pillar 3 requires Regular Supervisory Reporting (RSR) and the Solvency and Financial Condition Report (SFCR) to be accurate, complete, and submitted via XBRL taxonomy. SP 800-53 supports data integrity and audit trail controls but does not address regulatory reporting formats (XBRL), quantitative reporting templates (QRTs), narrative reporting requirements, supervisory review deadlines, or the specific data quality standards for prudential reporting. The requirement for board sign-off on the SFCR is outside scope.
Methodology and Disclaimer
This coverage analysis maps from Solvency II clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.