The European Banking Authority (EBA) narrowed down the scope of its existing Guidelines on ICT and security risk management measures, due to the application of harmonised ICT risk management requirements under the Digital Operational Resilience Act (DORA) from 17 January 2025.  These amendments aim at simplifying the ICT risk management framework and providing legal clarity to the market.

DORA has introduced harmonised requirements on ICT risk management that apply to financial entities across the banking, securities/markets, insurance and pensions sectors.

To avoid duplication of requirements and to provide legal clarity to the market, the EBA has amended its Guidelines on ICT and security risk management. In particular, the EBA has narrowed down:

• the entity scope of the Guidelines to only those that are covered by DORA, namely credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions; and
• the scope of the Guidelines to the requirements on relationship management of the payment service users in relation to the provision of payment services.

It is important to note that security and operational risk management requirements under the Payment Services Directive (PSD2), which are applicable since March 2018, continue to apply to other types of payment service providers (PSPs), such as post-office giro institutions and credit unions, that are not covered by DORA. PSPs that are still subject to security and operational risk management under the PSD2 can potentially be subject to additional national requirements, regardless of the existence of the EBA Guidelines that would apply to them. Competent authorities or Member States’ governments wishing to retain the approach set out in the EBA Guidelines for those PSPs can continue to do so under their national legal framework or supervisory measures.