2026-07-15

Added · Updated

Circular Letter No. CC/2026/00000020: EBA Guidelines on ICT Risk Management and Security in Payment Services

The Bank of Portugal issues this circular to highlight the applicability of the updated EBA Guidelines on ICT risk management (EBA/GL/2025/02) to supervised credit, payment, and e-money institutions under the DORA regulation. It specifically reinforces the requirements for payment service providers regarding user security, mandating proactive measures for user education, threat communication, and technical safeguards. The document outlines seven key procedures, including enabling payment feature deactivation, spending limit adjustments, and fraud alert systems, noting that these practices are integrated into the Bank's supervisory activities.

Banco de Portugal logo

Portugal

Banco de Portugal

Click to view thumbnail

Circular Letter No. CC/2026/00000020 Mod. 99999924/T – 01/14 Subject: EBA Guidelines on the management of risks associated with ICT and security in the relationship with payment service users

The risk associated with information and communication technologies ("ICT") is assuming increasing importance in the business model and risk profile of financial entities, within a context of innovation, characterized by the high and progressive use of computer systems, the significant relevance of data in financial markets, as well as the growing dependence on external providers of technological services.

In this context, the European Supervisory Authorities and the European legislator have been making significant efforts to incorporate harmonized and demanding, yet consistent and proportionate, requirements into the regulatory framework governing the provision of financial services.

By virtue of the publication of Regulation (EU) 2022/2554 of the European Parliament and of the Council, of 14 December, on digital operational resilience for the financial sector ("DORA Regulation"), the European Banking Authority ("EBA") published, on 2 February 2025, the Guidelines amending the Guidelines on the management of risks associated with information and communication technologies ("ICT") and security (EBA/GL/2025/021), which have been applicable since 20 May 2025.

Briefly, these Guidelines revoke most of the previous Guidelines on the management of risks associated with ICT and security (EBA/GL/2019/04), having altered their subjective scope, restricting it only to financial institutions subject to the DORA Regulation, and maintaining the last section on the management of the relationship with payment service users. This alteration was implemented through Instruction No. [x], remaining the need to implement the remaining content of EBA/GL/2019/04 for entities covered by said Guidelines.

Taking into account the subjective scope established by the Guidelines in the most recent version (EBA/GL/2025/02), in conjunction with the DORA Regulation, the remaining content of the Guidelines remains relevant for the entities listed in Article 2(1) of said Regulation and which are payment service providers.

Thus, the Bank of Portugal emphasizes the importance of credit institutions, payment institutions, and e-money institutions under its supervision observing the provisions of said Guidelines, taking into account their application in the context of current legislation and regulation, and in particular, as a complement to the provisions contained in the General Regime of Credit Institutions and Financial Companies, approved by Decree-Law No. 298/92, of 31 December, and in the Legal Regime of Payment Services and E-Money, approved by Decree-Law No. 91/2018, of 12 November, regarding the management of operational and security risks related to payment services and the management of operational risk in general.

1 Guidelines amending EBA/2019/04 Guidelines on the management of risks associated with ICT and security.

Mod. 99999924/T – 01/14

It is further informed that the Bank of Portugal communicated to the EBA its intention to comply with these Guidelines, so that the practices defined therein are taken into consideration in the exercise of supervisory activity.

With regard, in particular, to the relationship with payment service users, the Bank of Portugal is attentive to the way in which payment service providers have been implementing processes and mechanisms of protection that complement the information provided in the context of the use of payment services.

Thus, with regard to points 92 to 98 of the Guidelines, the Bank of Portugal understands the importance of reinforcing that payment service providers adopt the following procedures:

  1. Establish and implement processes to raise awareness among payment service users of the security risks associated with payment services by providing assistance and guidance to payment service users.
  2. Communicate to payment service users information on new threats and vulnerabilities identified and provide the necessary assistance and guidance.
  3. Keep payment service users informed about updates in security procedures that affect payment service users in matters of payment service provision.
  4. Provide assistance to payment service users on all matters, support requests, and notifications of anomalies or problems related to the security of payment services, with users being duly informed about how they can obtain this assistance.
  5. Allow payment service users to deactivate specific payment features of the product, related to the payment services provided. By way of example, it should be possible for the payment service user to block a payment instrument, if the product features allow it.
  6. Ensure that, when, in accordance with Article 108(1) of the Legal Regime of Payment Services and E-Money, a payment service provider has agreed with the payer spending limits for payment operations executed through specific payment instruments, the payer has the option to adjust such limits up to the maximum agreed limit.
  7. Allow payment service users to opt to receive alerts about initiated and/or failed attempts to initiate payment operations from their payment accounts, thus allowing the detection of fraudulent or malicious use.