The European Banking Authority has amended its Guidelines on ICT and security risk management measures to reduce their scope in light of the Digital Operational Resilience Act (DORA) applying from 17 January 2025, with the stated aim of avoiding duplication and improving legal clarity. The amendments limit the entity scope to firms covered by DORA, namely credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions. The Guidelines’ substantive scope is also narrowed to requirements on relationship management of payment service users in relation to the provision of payment services. For payment service providers not covered by DORA, the Payment Services Directive (PSD2) security and operational risk management requirements (applicable since March 2018) continue to apply, and those firms may also be subject to additional national requirements; competent authorities or Member States’ governments may retain the approach in the EBA Guidelines for such firms through national legal frameworks or supervisory measures. The amended Guidelines will apply within two months of publication of the translated versions.
European Banking Authority 2025-02-11
European Banking Authority narrows ICT and security risk management Guidelines following DORA’s application
The European Banking Authority revised its Guidelines on ICT and security risk management to align with the Digital Operational Resilience Act (DORA), effective January 2025, enhancing legal clarity. The amendments apply to entities under DORA, like credit institutions and payment service providers, while others will follow the Payment Services Directive (PSD2) and may face additional national requirements. The revised Guidelines take effect two months after the translated versions are published.