On 11 February 2025, the European Banking Authority (EBA) issued an updated version of its guidelines on ICT and security risk management measures which were built on the provisions of Article 74 of the Capital Requirements Directive IV and the Payment Services Directive 2. The update to the guidelines is to avoid duplication with the requirements on ICT risk management that were introduced by the Digital Operational Resilience Act (DORA) which applies to financial entities across the banking, securities/markets, insurance and pensions sectors.

The update includes the EBA narrowing down:

• The entity scope of the guidelines to only those that are covered by DORA, namely credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions.
• The scope of the guidelines to the requirements on relationship management of the payment service users in relation to the provision of payment services.

Next steps

The updated guidelines apply within two months of the publication of the translated versions.