Banking and financeAmendment of guidelines on ICT and security risk management under DORA

20/02/20250

Amendment of guidelines on ICT and security risk management under DORA

The European Banking Authority (EBA) has refined the scope of its existing Guidelines on ICT and security risk management to align with the harmonized ICT risk management requirements introduced under the Digital Operational Resilience Act (DORA), which takes effect on 17 January 2025. These changes aim to simplify the ICT risk management framework and enhance legal clarity for the market.

DORA establishes uniform ICT risk management requirements across the banking, securities/markets, insurance, and pensions sectors. To prevent regulatory overlap and improve legal clarity, the EBA has amended its Guidelines by narrowing:

  • The entity scope to only those covered by DORA, including credit institutions, payment institutions, account information service providers, exempted payment institutions, and exempted e-money institutions.
  • The Guidelines’ focus to requirements related to managing relationships with payment service users in the provision of payment services.

Security and operational risk management requirements under the Payment Services Directive (PSD2), in effect since March 2018, will continue to apply to payment service providers (PSPs) not covered by DORA, such as post-office giro institutions and credit unions. These PSPs may also be subject to additional national requirements, regardless of the existence of the EBA Guidelines. Competent authorities or national governments can choose to maintain the EBA’s approach within their legal and supervisory frameworks.

Background, Legal Basis, and Next Steps

The EBA initially published its Guidelines on ICT and security risk management (EBA/GL/2019/04) on 27 November 2019, based on Article 74 of Directive 2013/36/EU (CRD) and Article 95(3) of Directive (EU) 2015/2366 (PSD2). These Guidelines established requirements for credit institutions, investment firms, and PSPs to ensure a consistent and robust ICT and security risk management approach across the Single Market. They came into force in 2020, replacing the previous 2017 Guidelines on security measures.

With DORA’s implementation on 17 January 2025, new harmonized requirements will cover ICT risk management frameworks, incident reporting, third-party risk management, and testing. The amended Guidelines will take effect two months after the publication of their translated versions.

Leave a Reply

Your email address will not be published. Required fields are marked *

previous
EU: Re-launch of negotiations for the EU-Malaysia Free Trade Agreement
next
EU 2025 Commission work programme: upcoming legislative initiatives
https://www.regulatory-compliance.eu/wp-content/uploads/2025/01/Weis-auf-Transparenz-.png
al. Pańska 96, 00-837 Warsaw, Poland
+48 575 570 017

Follow us:

SERVICES

LINKS

GET IN TOUCH

The content provided on this website is not intended to and does not constitute legal advice. Submissions or postings to the website are not confidential. We do not warrant or guarantee the accuracy, completeness or adequacy of the content. Your use of the content on the website or materials linked from this website is at your own risk.

Copyright © RCC 2025

en_USEnglish
en_USEnglish