The European Banking Authority (EBA) narrowed down the scope of its existing Guidelines on ICT and security risk management measures, due to the application of harmonised ICT risk management requirements under the Digital Operational Resilience Act (DORA) from 17 January 2025.
These amendments aim at simplifying the ICT risk management framework and providing legal clarity to the market.
DORA has introduced harmonised requirements on ICT risk management that apply to financial entities across the banking, securities/markets, insurance and pensions sectors.
To avoid duplication of requirements and to provide legal clarity to the market, the EBA has amended its Guidelines on ICT and security risk management. In particular, the EBA has narrowed down:
the entity scope of the Guidelines to only those that are covered by DORA, namely credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions; and
the scope of the Guidelines to the requirements on relationship management of the payment service users in relation to the provision of payment services.
It is important to note that security and operational risk management requirements under the Payment Services Directive (PSD2), which are applicable since March 2018, continue to apply to other types of payment service providers (PSPs), such as post-office giro institutions and credit unions, that are not covered by DORA. PSPs that are still subject to security and operational risk management under the PSD2 can potentially be subject to additional national requirements, regardless of the existence of the EBA Guidelines that would apply to them. Competent authorities or Member States’ governments wishing to retain the approach set out in the EBA Guidelines for those PSPs can continue to do so under their national legal framework or supervisory measures.
Background, legal basis and next steps
On 27 November 2019, the EBA published the Guidelines on ICT and security risk management (EBA/GL/2019/04) (“Guidelines”) which were built on the provisions of Article 74 of Directive 2013/36/EU (CRD)[1] and Article 95(3) of Directive (EU) 2015/2366 (PSD2)[2] . These Guidelines established requirements for credit institutions, investment firms and PSPs on the mitigation and management of their ICT and security risks and aim to ensure a consistent and robust approach across the Single market. The Guidelines entered into force in 2020 and replaced and repealed the preceding Guidelines on security measures for operational and security risks that the EBA had issued three years earlier in fulfilment of a mandate under PSD2 (EBA GL/2017/17).
From 17 January 2025, DORA applies and introduces, inter alia, harmonised requirements for ICT risk management framework (RMF), incident reporting, and third-party risk management and testing.
The amended Guidelines will apply within two months of the publication of the translated versions.