With the Digital Operational Resilience Act (DORA) coming into force on 17 January 2025, the European Banking Authority is streamlining its ICT and security risk management Guidelines to avoid duplication and ensure legal clarity.
What’s changing?
- The Guidelines now apply only to entities covered by DORA: credit institutions, payment institutions, AISPs, and exempted entities.
- The scope of the Guidelines has been narrowed to the requirements on relationship management of payment service users in relation to the provision of payment services.
- Non-DORA entities (e.g., credit unions, post-office giro institutions) remain under PSD2 security and risk management rules—with potential national-level requirements.
Why it matters?
DORA introduces harmonised ICT risk management requirements across financial sectors, ensuring consistency and reducing regulatory duplication. The amended EBA Guidelines provide legal clarity and streamline compliance.
📅 The updated Guidelines will apply within two months of the publication of the translated versions.