Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	To safeguard customer trust and to keep the bank secure the office of the Chief Information Security Officer (CISO) is predicting, preventing, detecting, and responding to threats and incidents. Secure architecture, engineering, and Identity and Access Management are preventive measures to define, implement and review components that mitigate the risk of unauthorised access to IT systems and the data processed and stored therein. Security detection and Response functionality is implemented to identify and provide timely alerts of malicious behaviour. Cyber threat assessments delivers awareness about new and existing threats and vulnerabilities targeting ING infrastructure. ING continues to invest in cybersecurity capabilities in all domains (prediction, prevention, detection, response, and recovery). Different types of cyberthreats are not only relevant for the financial industry, but are increasingly hitting its supply chains. We are monitoring these Cybersecurity risks from our suppliers, via the Third-Party Cyber Risk Management process. This process is part of the generic risk management framework as defined in the Non-Financial Risk Framework Policies. These policies are detailed out in a set of Minimum Standards, amongst which the Security Monitoring Minimum Standard. The policy documents (policies, minimum standards, process control standards) identify inherent risks and contain objectives and controls to mitigate identified inherent risks as well as a section on roles and responsibilities regarding IT and controls. The different processes for assessing, identifying, and managing material risks from cybersecurity threats address the objectives as defined in the Information and Technology Risk Policy. The Global CISO and key security positions are held by internal staff. ING Group IT Audit function is fully internally staffed. The key controls in the risk management framework relevant for internal control over financial reporting are being audited by an external auditor. In addition, ING continues to strengthen its global cybercrime resilience through collaboration. with financial industry peers, law enforcement authorities, government (e.g. National Cyber Security Centre) and Internet Service Providers (ISPs).
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	The continuous enhancement of the control environment to protect from- and detect and respond to- distributed denial-of-service (DDoS), targeted attacks and more specific ransomware attacks is of the highest priority. Based on regular scenario analysis done in ING’s first line of defence, additional defensive controls continue to be embedded in the organisation as part of the overall internal control framework and are continuously re-assessed against existing and new threats. The further digitalisation of banking services, increasing electronic exchange of information via different consumer channels, use of and dependency on third-party vendors for services, and the implementation of the EU Digital Operational Resilience Act (DORA) are likely to present ongoing cybercrime-resilience and IT-security challenges, both in the short and medium-term. Criminal actors are targeting financial and sensitive (payment) data, such as customer user credentials outside the traditional banking environment. Sensitive (payment) or personal data can be obtained by criminals via social forums such as Facebook and Linked-In.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	The 3LoD Annual Report to the Management Banking Board, Executive Board and Audit Committee provides the relevant results of the CAS activities and a CAS’ view on the adequacy and effectiveness of ING’s processes for controlling its activities and managing its risk in all the areas of ING. The Management Board Banking (MBB) and Executive Board (EB) of ING is informed of key IT / cybersecurity risks on a quarterly basis via Non-Financial Risk updates, and IT risks are included as well in regular Integrated Risk updates. In addition, the MBB is immediately informed of any material cybersecurity incident after it occurred. The Risk Committee (RiCo) of ING’s Supervisory Board (SB) receives the aforementioned Non-Financial Risk (NFR) update as well. Whenever a larger cyber incident occurs, this is in principle also discussed in the RiCo and SB on an ad hoc basis. Those quarterly reports are pre-discussed by the Bank Non-Financial Risk Committee, in which senior NFR/Risk management is represented, before they are shared with the MBB/EB and RiCo.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	The 3LoD Annual Report to the Management Banking Board, Executive Board and Audit Committee provides the relevant results of the CAS activities and a CAS’ view on the adequacy and effectiveness of ING’s processes for controlling its activities and managing its risk in all the areas of ING.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	The 3LoD reports quarterly (CAS reports) to the Management Board Banking, Executive Board and Audit Committee including relevant results, details of the key reports issued during the quarter and the follow-up of reported findings. The 3LoD Annual Report to the Management Banking Board, Executive Board and Audit Committee provides the relevant results of the CAS activities and a CAS’ view on the adequacy and effectiveness of ING’s processes for controlling its activities and managing its risk in all the areas of ING.
Cybersecurity Risk Role of Management [Text Block]	To safeguard customer trust and to keep the bank secure the office of the Chief Information Security Officer (CISO) is predicting, preventing, detecting, and responding to threats and incidents.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	The 3LoD Annual Report to the Management Banking Board, Executive Board and Audit Committee provides the relevant results of the CAS activities and a CAS’ view on the adequacy and effectiveness of ING’s processes for controlling its activities and managing its risk in all the areas of ING. The Management Board Banking (MBB) and Executive Board (EB) of ING is informed of key IT / cybersecurity risks on a quarterly basis via Non-Financial Risk updates, and IT risks are included as well in regular Integrated Risk updates. In addition, the MBB is immediately informed of any material cybersecurity incident after it occurred. The Risk Committee (RiCo) of ING’s Supervisory Board (SB) receives the aforementioned Non-Financial Risk (NFR) update as well. Whenever a larger cyber incident occurs, this is in principle also discussed in the RiCo and SB on an ad hoc basis. Those quarterly reports are pre-discussed by the Bank Non-Financial Risk Committee, in which senior NFR/Risk management is represented, before they are shared with the MBB/EB and RiCo.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	The members of supervisory and oversight bodies have a broad competency in the area of IT & Cybersecurity. In the Management Board Banking of ING Bank, which has ING Groep as its sole shareholder, a dedicated Chief Technology Officer role is embedded. The Global Head of CISO reports directly to the CTO. The CTO is a technology executive with over 20 years of experience in leadership roles in the financial industry. The CTO has a strong understanding of data, technology, the application of it in ING’s operations and the risks related to it.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The Management Board Banking (MBB) and Executive Board (EB) of ING is informed of key IT / cybersecurity risks on a quarterly basis via Non-Financial Risk updates, and IT risks are included as well in regular Integrated Risk updates. In addition, the MBB is immediately informed of any material cybersecurity incident after it occurred. The Risk Committee (RiCo) of ING’s Supervisory Board (SB) receives the aforementioned Non-Financial Risk (NFR) update as well. Whenever a larger cyber incident occurs, this is in principle also discussed in the RiCo and SB on an ad hoc basis.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

To safeguard customer trust and to keep the bank secure the office of the Chief Information Security Officer (CISO) is predicting, preventing, detecting, and responding to threats and incidents. Secure architecture, engineering, and Identity and Access Management are preventive measures to define, implement and review components that mitigate the risk of unauthorised access to IT systems and the data processed and stored therein. Security detection and Response functionality is implemented to identify and provide timely alerts of malicious behaviour. Cyber threat assessments delivers awareness about new and existing threats and vulnerabilities targeting ING infrastructure.

ING continues to invest in cybersecurity capabilities in all domains (prediction, prevention, detection, response, and recovery).

Different types of cyberthreats are not only relevant for the financial industry, but are increasingly hitting its supply chains. We are monitoring these Cybersecurity risks from our suppliers, via the Third-Party Cyber Risk Management process. This process is part of the generic risk management framework as defined in the Non-Financial Risk Framework Policies. These policies are detailed out in a set of Minimum Standards, amongst which the Security Monitoring Minimum Standard.

The policy documents (policies, minimum standards, process control standards) identify inherent risks and contain objectives and controls to mitigate identified inherent risks as well as a section on roles and responsibilities regarding IT and controls.

The different processes for assessing, identifying, and managing material risks from cybersecurity threats address the objectives as defined in the Information and Technology Risk Policy.

The Global CISO and key security positions are held by internal staff. ING Group IT Audit function is fully internally staffed. The key controls in the risk management framework relevant for internal control over financial reporting are being audited by an external auditor.

In addition, ING continues to strengthen its global cybercrime resilience through collaboration. with financial industry peers, law enforcement authorities, government (e.g. National Cyber Security Centre) and Internet Service Providers (ISPs).

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

The continuous enhancement of the control environment to protect from- and detect and respond to- distributed denial-of-service (DDoS), targeted attacks and more specific ransomware attacks is of the highest priority.

Based on regular scenario analysis done in ING’s first line of defence, additional defensive controls continue to be embedded in the organisation as part of the overall internal control framework and are continuously re-assessed against existing and new threats.

The further digitalisation of banking services, increasing electronic exchange of information via different consumer channels, use of and dependency on third-party vendors for services, and the implementation of the EU Digital Operational Resilience Act (DORA) are likely to present ongoing cybercrime-resilience and IT-security challenges, both in the short and medium-term. Criminal actors are targeting financial and sensitive (payment) data, such as customer user credentials outside the traditional banking environment. Sensitive (payment) or personal data can be obtained by criminals via social forums such as Facebook and Linked-In.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

The 3LoD Annual Report to the Management Banking Board, Executive Board and Audit Committee provides the relevant results of the CAS activities and a CAS’ view on the adequacy and effectiveness of ING’s processes for controlling its activities and managing its risk in all the areas of ING.

The Management Board Banking (MBB) and Executive Board (EB) of ING is informed of key IT / cybersecurity risks on a quarterly basis via Non-Financial Risk updates, and IT risks are included as well in regular Integrated Risk updates. In addition, the MBB is immediately informed of any material cybersecurity incident after it occurred. The Risk Committee (RiCo) of ING’s Supervisory Board (SB) receives the aforementioned Non-Financial Risk (NFR) update as well. Whenever a larger cyber incident occurs, this is in principle also discussed in the RiCo and SB on an ad hoc basis.

Those quarterly reports are pre-discussed by the Bank Non-Financial Risk Committee, in which senior NFR/Risk management is represented, before they are shared with the MBB/EB and RiCo.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The 3LoD reports quarterly (CAS reports) to the Management Board Banking, Executive Board and Audit Committee including relevant results, details of the key reports issued during the quarter and the follow-up of reported findings. The 3LoD Annual Report to the Management Banking Board, Executive Board and Audit Committee provides the relevant results of the CAS activities and a CAS’ view on the adequacy and effectiveness of ING’s processes for controlling its activities and managing its risk in all the areas of ING.

Cybersecurity Risk Role of Management [Text Block]

To safeguard customer trust and to keep the bank secure the office of the Chief Information Security Officer (CISO) is predicting, preventing, detecting, and responding to threats and incidents.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Those quarterly reports are pre-discussed by the Bank Non-Financial Risk Committee, in which senior NFR/Risk management is represented, before they are shared with the MBB/EB and RiCo.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The members of supervisory and oversight bodies have a broad competency in the area of IT & Cybersecurity. In the Management Board Banking of ING Bank, which has ING Groep as its sole shareholder, a dedicated Chief Technology Officer role is embedded. The Global Head of CISO reports directly to the CTO. The CTO is a technology executive with over 20 years of experience in leadership roles in the financial industry. The CTO has a strong understanding of data, technology, the application of it in ING’s operations and the risks related to it.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true