Regulation

EBA Guidelines on ICT and security risk management

Long before Digital Operational Resilience Act (DORA), credit institutions (aka banks) and investment firms (aka investment banks, hedge funds, PE & VC firms, ...), but also PSPs (Payment Service Providers under Payments Services Directive 2 (PSD2) regulation) had to comply with these guidelines on ICT and security risk management.

If you compare both DORA and these guidelines, you'll see that there is an approximate 100% overlap between the two. DORA entirely includes (and superseded) all of these guidelines requirements (and added more of them of course, alas).

Guidelines

  • Governance and strategy
    • Governance
    • Strategy
    • Use of third party providers
  • ICT and security risk management framework
    • Organisation and objectives
    • Identification of functions, processes and assets
    • Classification and risk assessment
    • Risk mitigation
    • Reporting
    • Audit
  • Information security
    • Information security policy
    • Logical security
    • Physical security
    • ICT operation security
    • Security monitoring
    • Information security reviews, assessment and testing
    • Information security training and awareness
  • ICT operations management
    • ICT incident and problem management
  • ICT project and change management
    • ICT project management
    • ICT systems acquisition and development
    • ICT change management
  • Business continuity management
    • Business impact analysis
    • Business continuity planning
    • Response and recovery plans
    • Testing of plans
    • Crisis communications
  • Payment service user relationship management

The last one is perhaps particular, but it explains what mitigating controls a PSP needs to provide to its customers, specifically with regard to payments. For example:

  • Educate and assist customers: provide information and guidance about security risks associated with payment services.
  • Keep information up-to-date: regularly update educational materials to reflect new threats and vulnerabilities.
  • Allow for customization: give customers the option to disable specific payment functionalities if desired.
  • Offer flexible spending limits: allow customers to adjust spending limits within agreed-upon parameters.
  • Provide fraud alerts: notify customers of suspicious activity on their accounts.
  • Communicate security updates: keep customers informed about changes in security procedures.
  • Offer support: assist customers with any security-related questions or issues.