Following the implementation of the Digital Operational Resilience Act (DORA) on 17 January, the European Banking Authority (EBA) has published amendments to its guidelines on ICT and security risk management. These amendments were made to avoid duplication with the harmonised requirements on ICT risk management introduced by DORA so as to provide “legal clarity to the market”.
The amendments include a narrowing down of the scope of the guidelines to apply only to entities covered by DORA. These include credit institutions, payment institutions, and account information service providers. The scope on requirements for relationship management of payment service users has also been narrowed.
For payment services providers not covered by DORA, risk management requirements under the Payment Services Directive (PSD2) still apply. These entities, which include post office giro institutions and credit unions, “can potentially be subject to additional national requirements” simultaneous to being subject to EBA guidelines.
