EBA: Final report on amending Guidelines on ICT risk and security management

EBA has narrowed down the scope of its existing guidelines on ICT and security risk management measures, due to the application of harmonised ICT risk management requirements under DORA.  Specifically, EBA has narrowed down the entity scope of the guidelines to only those that are covered by DORA (credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions), and the scope of the guidelines to the requirements on relationship management of the payment service users in relation to the provision of payment services.