EBA Refines Guidelines to Align with DORA, Bringing Clarity to ICT Risk Management

Key Takeaways:

• Streamlined Guidelines: The EBA has narrowed the scope of its ICT and security risk management guidelines to align with the Digital Operational Resilience Act (DORA), focusing on institutions covered by DORA.
• Clearer Expectations for Financial Entities: The amendments simplify the regulatory framework, particularly for credit institutions, payment institutions, and exempted e-money institutions, clarifying requirements around payment service user relationship management.
• PSD2 Still Applies to Some PSPs: Payment service providers outside DORA’s scope, like credit unions and post-office giro institutions, continue to follow security and operational risk management under the Payment Services Directive (PSD2).
• Guidelines Effective in Two Months: The amended guidelines will apply within two months after the publication of their translated versions, helping financial institutions better comply with evolving ICT risk management rules.

Deep Dive

As of 17 January 2025, the Digital Operational Resilience Act (DORA) has officially begun to reshape how the financial sector addresses ICT risk management. In response, the European Banking Authority (EBA) has made a series of key adjustments to its Guidelines on ICT and security risk management. These revisions, aimed at cutting down on duplication and creating clearer expectations for the market, help ensure that financial institutions aren’t bogged down by overlapping regulations.

But why exactly is this shift happening, and what does it mean for the entities involved? Let’s break it down.

The main objective behind the EBA’s amendments is to simplify the ICT risk management framework for financial entities across the banking, securities, insurance, and pensions sectors. DORA’s arrival has introduced a more harmonized set of requirements, making it necessary for the EBA to adjust its guidelines. The goal is to make things clearer, both for regulators and the market, and to avoid any unnecessary overlap in expectations.

The EBA has narrowed the scope of its Guidelines. They now specifically apply to the institutions directly covered by DORA, such as:

• Credit institutions
• Payment institutions
• Account information service providers
• Exempted payment institutions and e-money institutions

This is a significant change—previously, the guidelines were a bit broader, which at times created confusion. Now, the EBA is focusing its efforts on relationship management within payment services, giving financial institutions a clearer picture of what’s expected when it comes to managing payment service users.

Now, if you’re one of those payment service providers (PSPs) who doesn’t fall under DORA’s umbrella—think post-office giro institutions or credit unions—you may be wondering, “What’s this mean for us?” Well, don’t worry. The security and operational risk management rules under PSD2, which have been in effect since 2018, continue to apply. However, depending on where you’re located, your national framework may still add extra layers of compliance. This is where local authorities or Member States might choose to keep the EBA’s approach for PSPs outside of DORA’s reach, and that’s perfectly fine under the current legal framework.

How Does DORA Fit In?

DORA’s scope is all about harmonization. It tackles issues like incident reporting, third-party risk management, and even testing. Essentially, it’s providing a unified framework for ICT risk management across the financial sector. But to make sure things don’t get overly complicated, the EBA decided to fine-tune its Guidelines, narrowing them down to avoid redundancy with DORA’s more broad requirements.

In short, the EBA is making sure that both DORA and its own guidelines work in harmony to strengthen the operational resilience of the entire EU financial sector, without tacking on excessive layers of complexity.

Looking Back to Move Forward

If you’re wondering where this all began, it’s useful to look at the EBA’s earlier work. Back in 2019, the EBA introduced the Guidelines on ICT and security risk management (EBA/GL/2019/04), which laid the groundwork for the rules financial institutions would need to follow when managing their ICT and security risks. These guidelines were crafted with input from the CRD (Directive 2013/36/EU) and PSD2 (Directive (EU) 2015/2366), and were meant to offer a consistent, robust approach for credit institutions, investment firms, and PSPs across the Single Market.

Fast forward to 2025, and DORA comes into play. It brings together several fragmented regulations and introduces new requirements for financial entities. These include things like strengthening ICT risk management frameworks, reporting incidents efficiently, and managing risks linked to third-party vendors. As a result, the EBA updated its guidelines to fit seamlessly within the framework DORA establishes.

So, what’s next? The EBA will roll out its amended Guidelines, which will come into effect within two months after the publication of their translated versions. From there, the financial sector can expect smoother regulatory compliance and clearer guidance on managing ICT risks.

This is a step forward in making sure that the financial sector remains resilient and secure as technology continues to evolve. As the sector adapts to DORA, it’s important that regulatory bodies stay aligned, ensuring that rules and expectations are clear and streamlined—so institutions can focus on what they do best i.e., providing services with integrity.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.