European Banking Authority repeals PSD2 major incident reporting guidelines as DORA harmonised incident reporting takes effect

The European Banking Authority has repealed its Guidelines on major incident reporting under the revised Payment Services Directive (PSD2) following the start of harmonised incident reporting requirements under the Digital Operational Resilience Act (DORA) from 17 January 2025. The repeal is intended to simplify incident reporting for payment service providers and provide legal certainty as DORA replaces PSD2 incident reporting for in-scope firms. DORA introduces a single incident reporting regime for financial entities across banking, securities and markets, insurance, and pensions, covering most payment service providers including credit institutions, payment institutions, e-money institutions and account information service providers. While PSD2 incident reporting requirements continue to apply to payment service providers not covered by DORA, such as post-office giro institutions and credit unions, the EBA repealed the Guidelines in full given the small number of these firms, their limited geographic footprint, and the negligible volume and significance of their EU-level incident reports. For payment service providers that remain subject to PSD2 incident reporting, national incident reporting requirements may still apply, and competent authorities that wish to preserve the approach set out in the repealed Guidelines can do so under national legal frameworks or supervisory measures.