DORA: EBA upgrades ICT and security risk management measures
11 February 2025 EU
![Generic business image for news article](https://www.securitiesfinancetimes.com/securitieslendingnews/images/TuesdayFebruary1120251739273678.jpg)
The European Banking Authority (EBA) has narrowed down the scope of its existing guidelines on ICT and security risk management measures.
In line with the Digital Operational Resilience Act (DORA) from 17 January 2025, these amendments aim to simplify the ICT risk management framework, avoid duplication of requirements, and provide legal clarity to the market.
DORA has introduced harmonised requirements on ICT risk management that apply to financial entities across the banking, securities, insurance, and pensions sectors.
In particular, the EBA has narrowed down the entity scope of the guidelines to only those that are covered by DORA – credit institutions, payment institutions, account information service providers, exempted payment institutions, and exempted e-money institutions.
Other types of payment service providers (PSPs) are still subject to security and operational risk management under the Payment Services Directive (PSD2), which has been in force since March 2018.
The original guidelines from November 2019 established requirements for credit institutions, investment firms, and PSPs on the mitigation and management of their ICT and security risks, with the aim of ensuring a consistent and robust approach across the single market.
These guidelines entered into force in 2020, replacing the preceding guidelines on security measures for operational and security risks that the EBA had issued three years earlier.
From 17 January 2025, DORA applies, with harmonised requirements for ICT risk management framework, incident reporting, and third-party risk management and testing.
The amended guidelines will apply within two months of the publication of the translated versions.
In line with the Digital Operational Resilience Act (DORA) from 17 January 2025, these amendments aim to simplify the ICT risk management framework, avoid duplication of requirements, and provide legal clarity to the market.
DORA has introduced harmonised requirements on ICT risk management that apply to financial entities across the banking, securities, insurance, and pensions sectors.
In particular, the EBA has narrowed down the entity scope of the guidelines to only those that are covered by DORA – credit institutions, payment institutions, account information service providers, exempted payment institutions, and exempted e-money institutions.
Other types of payment service providers (PSPs) are still subject to security and operational risk management under the Payment Services Directive (PSD2), which has been in force since March 2018.
The original guidelines from November 2019 established requirements for credit institutions, investment firms, and PSPs on the mitigation and management of their ICT and security risks, with the aim of ensuring a consistent and robust approach across the single market.
These guidelines entered into force in 2020, replacing the preceding guidelines on security measures for operational and security risks that the EBA had issued three years earlier.
From 17 January 2025, DORA applies, with harmonised requirements for ICT risk management framework, incident reporting, and third-party risk management and testing.
The amended guidelines will apply within two months of the publication of the translated versions.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
![Advertisement](../images/bull-252524.png)