.svg)
The European Banking Authority (EBA) has amended its guidelines on ICT and security risk management measures to align with the Digital Operational Resilience Act (DORA), which came into force on January 17.
The revisions narrow the scope of the guidelines, aiming to streamline regulatory requirements and eliminate overlaps.
DORA introduces harmonised ICT risk management obligations and, to avoid regulatory duplication, the EBA has refined its guidelines to focus only on entities covered under the act.
These include credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions.
In addition, the guidelines will now primarily address relationship management of payment service users in the context of payment services.
Financial entities that fall outside DORA’s scope, such as post-office giro institutions and credit unions, will continue to follow ICT security and operational risk management rules under the revised Payment Services Directive (PSD2), which has been in effect since 2018.
These institutions may also be subject to additional local requirements at the discretion of their respective national competent authorities.
The EBA’s guidelines on ICT and security risk management were originally introduced in 2019 to establish consistent cybersecurity standards across the EU financial sector. They were based on the Capital Requirements Directive (CRD IV) and PSD2 provisions.
The updated guidelines will officially apply two months after the publication of translated versions, giving financial institutions time to adjust to the revised framework.
