European Banking Authority publishes amending guidelines on ICT and security risk management in the context of DORA

The European Banking Authority (EBA) has published a final report with amending guidelines in respect of Guidelines EBA/GL/2019/04 on ICT and security risk management. The EBA reviewed the Guidelines in light of the Digital Operational Resilience Act (DORA), which introduced harmonised requirements for ICT, risk management framework (RMF), incident reporting and third-party risk management and testing for certain financial entities. The entities subject to DORA and the related RTS on RMF overlap with those subject to the Guidelines. Therefore, to ensure transparency and legal certainty, the EBA reviewed the Guidelines and concluded that the entities subject to the Guidelines should be narrowed down, and the scope of the Guidelines should be reduced to cover certain institutions providing payment services which are not in scope of DORA, and guidelines on relationship management of payment services where this is not covered by the DORA requirements. The amending guidelines will be translated into the official EU languages and apply by two months after issuance (at the latest).

Return to main website.