The amendments by the European Banking Authority (EBA) are intended to provide legal clarity and also avoid confusing duplication in guidelines applying to ICT risk management.

Paragraphs 1-91, which are contained in Section 3.1 to 3.7 of the EBA’s Guidelines on ICT and security risk management are being repealed, along with all definitions.

The subject matter of the guidelines is being revised to point out that they “complement the risk management measures” enumerated in DORA along with the operational and security risk measures itemized in the relevant Regulatory Technical Standards (RTSs) applying under the EU PSD2 Directive (Article 95).

Section 3.8 (paragraph 92-98) of the guidelines, containing information on payment service user relationship management for payment service providers (PSPs) is being retained however.

Risk management

And the EBA is careful to point out, in its press release announcing the changes, that PSD2 security and operational risk management requirements continue to apply to PSPs that are not covered by DORA. Post-office giro institutions and credit unions are specifically mentioned as examples of such financial entities. For this reason section 3.8 remains relevant and is being retained in the truncated guidelines.

The press release also points out that such PSPs “can potentially be subject to additional national requirements, regardless of the existence of EBA Guidelines that would apply to them.”

In other words the EBA Guidelines in place will not necessarily trump local (national) regulation and guidelines that apply to such institutions. And that includes the possibility of governments retaining the approach set out in the original (unamended) EBA guidelines “under their national legal framework or supervisory measures.”