EBA updates ICT risk management guidelines to align with DORA
The European Banking Authority (EBA) has updated its existing ICT and security risk management guidelines in the light of the Digital Operational Resilience Act (DORA), which took effect last month on 17 January. These changes aim to simplify requirements, eliminate duplication, and provide greater legal clarity for financial institutions.
DORA introduces harmonised ICT risk management rules across banking, insurance, pensions, and securities markets, ensuring a consistent approach to digital resilience. To avoid overlap, the EBA has narrowed the scope of its older guidelines, limiting them for financial entities covered by DORA, including credit institutions, payment institutions, and e-money institutions. However, security and operational risk requirements under PSD2 remain in place for certain specialist payment service providers, such as credit unions and post-office giro institutions.
These updates reflect the growing importance of digital resilience in financial services, ensuring that institutions can effectively manage cyber risks and operational threats. The revised guidelines will take effect within two months of their publication in all EU languages.
Learn more about the amendments here.
