Revised EBA guidelines – what is the focus now?
The updates to Guidelines on ICT and security risk management are closely tied to the recent implementation of the Digital Operational Resilience Act (DORA), which entered into application across the EU on January 17, 2025. The amendments significantly narrow the scope of the original 2019 Guidelines (EBA/GL/2019/04) to align them with DORA’s harmonized framework. Going forward, they will apply only to a defined group of entities, including:
- Credit institutions
- Payment institutions
- Account information service providers
- Exempted payment and e-money institutions
Importantly, the Guidelines now narrow their focus from general ICT risk management to specifically managing relationships with users of payment services. This includes PSD2-related areas such as secure communication, data protection, and service continuity. Broader ICT and security risk management practices are now governed by DORA.
What were the EBA’s primary objectives in revising the guidelines?
The EBA’s primary objective in revising the Guidelines was presumably to eliminate regulatory overlap and provide greater legal clarity.
With DORA introducing a comprehensive and binding set of ICT risk management requirements across the EU financial sector, the EBA sought to:
- Avoid overlap of compliance obligations with DORA
- Ensure consistency with DORA’s regulatory framework (e.g. by aligning terminology)
- Clarify which entities and responsibilities remain under the EBA’s direct oversight
The amendments also support a more consistent supervisory approach across the EU, particularly for institutions that fall outside DORA’s scope but remain subject to national rules or PSD2-based requirements.
What impact will the changes have on institutions?
The revised Guidelines entered into force on May 20, 2025. This date also marks the compliance deadline.
For institutions fully covered by DORA and still within the narrowed scope of the EBA Guidelines, no additional action is required. However, entities that are no longer subject to the Guidelines may want to review their current compliance frameworks. Depending on how the Guidelines have been implemented at the national level, this change could present opportunities to streamline internal processes and reduce regulatory burden.
