The EBA has revised its Guidelines on ICT and security risk management to align with DORA, which came into force on 17 January 2025.
The revisions aim to simplify the ICT risk management framework and offer legal clarity to the market. The EBA has narrowed the scope of these Guidelines, specifically focusing on the entities covered by DORA, including credit institutions, payment institutions, and account information service providers. This will eliminate potential overlaps with existing regulations while ensuring consistent ICT risk management practices.
One significant change is the narrowing of the entity scope of the Guidelines to only those organisations directly impacted by DORA. The Guidelines now specifically cover credit institutions, payment institutions, exempted payment institutions, and exempted e-money institutions, while excluding other types of payment service providers (PSPs) not covered under DORA. PSPs still operating under the Payment Services Directive (PSD2) will remain subject to operational and security risk management requirements under that directive, which came into force in 2018.
In addition, the EBA has narrowed the scope of the Guidelines’ requirements on relationship management for payment service users, focusing only on the provision of payment services. These changes seek to ensure that there is no duplication of requirements for entities already governed by other regulatory frameworks.
The original Guidelines, published in November 2019, were based on the provisions of Article 74 of Directive 2013/36/EU (CRD) and Article 95(3) of Directive (EU) 2015/2366 (PSD2). These had set out ICT and security risk management requirements for credit institutions, investment firms, and PSPs. The revised Guidelines are now being adjusted to fit the evolving regulatory landscape ahead of DORA’s implementation in January 2025.
Copyright © 2025 RegTech Analyst
Copyright © 2018 RegTech Analyst
