“To prevent duplication of requirements and ensure legal clarity in the market, the EBA amended its guidelines on ICT and security risk management,” announced the European Banking Authority in a press release on Tuesday 11 February 2025. Photo: EBA

“To prevent duplication of requirements and ensure legal clarity in the market, the EBA amended its guidelines on ICT and security risk management,” announced the European Banking Authority in a press release on Tuesday 11 February 2025. Photo: EBA

The European Banking Authority has updated its ICT and security risk management guidelines, focusing on entities covered by digital operational resilience act and providing legal clarity for the market.

The European Banking Authority has made amendments to its guidelines on ICT and security risk management, narrowing the scope of the framework to align with the upcoming digital operational resilience act (Dora). These changes, on Tuesday 11 February 2025, aim to simplify the ICT risk management framework and provide greater legal clarity within the market, according to the EBA.

Dora, which came into force on 17 January 2025, introduces harmonised ICT risk management requirements that will apply across various financial sectors, including banking, securities, insurance and pensions. As part of the regulatory adjustments, the EBA has sought to reduce potential overlaps in requirements by revising its existing guidelines on ICT and security risk management.

The key amendments to the guidelines involve a narrowing of their scope in two key areas. First, the entity scope of the guidelines has been limited to those organisations that fall under Dora’s coverage. These include credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions. Second, the scope of the guidelines has been narrowed to focus solely on the relationship management requirements between payment service users and the provision of payment services.

However, the EBA reminded that the security and operational risk management obligations established under the payment services directive (PSD2) will continue to apply to other types of payment service providers (PSPs) not covered by Dora. This includes institutions such as post-office savings providers and credit unions. These PSPs will remain subject to the risk management provisions under PSD2, which have been in effect since March 2018. Additionally, these providers may also face further national requirements, even in the presence of the EBA’s amended guidelines. Member states’ governments or competent authorities may choose to retain the approach outlined in the EBA guidelines for these PSPs under their national legal frameworks or supervisory measures.

The amended EBA guidelines are expected to apply within two months following the publication of their translated versions, thus ensuring that financial institutions across the EU are aligned with the new legal framework.

Related articles