Home   News   Features   Interviews   Magazine Archive   Symposium   Industry Awards  
Subscribe
Securites Lending Times logo
Leading the Way

Global Securities Finance News and Commentary
≔ Menu
Securites Lending Times logo
Leading the Way

Global Securities Finance News and Commentary
News by section
Subscribe
⨂ Close
  1. HomeRegulation news
  2. DORA: EBA upgrades ICT and security risk management measures
Regulation news

DORA: EBA upgrades ICT and security risk management measures


11 February 2025 EU
Reporter: Daniel Tison

Generic business image for news article
Image: tadamichi/stock.adobe.com
The European Banking Authority (EBA) has narrowed down the scope of its existing guidelines on ICT and security risk management measures.

In line with the Digital Operational Resilience Act (DORA) from 17 January 2025, these amendments aim to simplify the ICT risk management framework, avoid duplication of requirements, and provide legal clarity to the market.

DORA has introduced harmonised requirements on ICT risk management that apply to financial entities across the banking, securities, insurance, and pensions sectors.

In particular, the EBA has narrowed down the entity scope of the guidelines to only those that are covered by DORA – credit institutions, payment institutions, account information service providers, exempted payment institutions, and exempted e-money institutions.

Other types of payment service providers (PSPs) are still subject to security and operational risk management under the Payment Services Directive (PSD2), which has been in force since March 2018.

The original guidelines from November 2019 established requirements for credit institutions, investment firms, and PSPs on the mitigation and management of their ICT and security risks, with the aim of ensuring a consistent and robust approach across the single market.

These guidelines entered into force in 2020, replacing the preceding guidelines on security measures for operational and security risks that the EBA had issued three years earlier.

From 17 January 2025, DORA applies, with harmonised requirements for ICT risk management framework, incident reporting, and third-party risk management and testing.

The amended guidelines will apply within two months of the publication of the translated versions.
NO FEE, NO RISK
100% ON RETURNS If you invest in only one securities finance news source this year, make sure it is your free subscription to Securities Finance Times
Advertisement
Subscribe today
Knowledge base

Explore our extensive directory to find all the essential contacts you need

Visit our directory →

Discover definitions, explanations and related news articles in our glossary

Visit our glossary →