2026-07-15
Added · Updated
The Bank of Portugal issues this circular to highlight the applicability of the updated EBA Guidelines on ICT risk management (EBA/GL/2025/02) to supervised credit, payment, and e-money institutions under the DORA regulation. It specifically reinforces the requirements for payment service providers regarding user security, mandating proactive measures for user education, threat communication, and technical safeguards. The document outlines seven key procedures, including enabling payment feature deactivation, spending limit adjustments, and fraud alert systems, noting that these practices are integrated into the Bank's supervisory activities.
Circular Letter No. CC/2026/00000020 Mod. 99999924/T – 01/14 Subject: EBA Guidelines on the management of risks associated with ICT and security in the relationship with payment service users
The risk associated with information and communication technologies ("ICT") is assuming increasing importance in the business model and risk profile of financial entities, within a context of innovation, characterized by the high and progressive use of computer systems, the significant relevance of data in financial markets, as well as the growing dependence on external providers of technological services.
In this context, the European Supervisory Authorities and the European legislator have been making significant efforts to incorporate harmonized and demanding, yet consistent and proportionate, requirements into the regulatory framework governing the provision of financial services.
By virtue of the publication of Regulation (EU) 2022/2554 of the European Parliament and of the Council, of 14 December, on digital operational resilience for the financial sector ("DORA Regulation"), the European Banking Authority ("EBA") published, on 2 February 2025, the Guidelines amending the Guidelines on the management of risks associated with information and communication technologies ("ICT") and security (EBA/GL/2025/021), which have been applicable since 20 May 2025.
Briefly, these Guidelines revoke most of the previous Guidelines on the management of risks associated with ICT and security (EBA/GL/2019/04), having altered their subjective scope, restricting it only to financial institutions subject to the DORA Regulation, and maintaining the last section on the management of the relationship with payment service users. This alteration was implemented through Instruction No. [x], remaining the need to implement the remaining content of EBA/GL/2019/04 for entities covered by said Guidelines.
Taking into account the subjective scope established by the Guidelines in the most recent version (EBA/GL/2025/02), in conjunction with the DORA Regulation, the remaining content of the Guidelines remains relevant for the entities listed in Article 2(1) of said Regulation and which are payment service providers.
Thus, the Bank of Portugal emphasizes the importance of credit institutions, payment institutions, and e-money institutions under its supervision observing the provisions of said Guidelines, taking into account their application in the context of current legislation and regulation, and in particular, as a complement to the provisions contained in the General Regime of Credit Institutions and Financial Companies, approved by Decree-Law No. 298/92, of 31 December, and in the Legal Regime of Payment Services and E-Money, approved by Decree-Law No. 91/2018, of 12 November, regarding the management of operational and security risks related to payment services and the management of operational risk in general.
1 Guidelines amending EBA/2019/04 Guidelines on the management of risks associated with ICT and security.
Mod. 99999924/T – 01/14
It is further informed that the Bank of Portugal communicated to the EBA its intention to comply with these Guidelines, so that the practices defined therein are taken into consideration in the exercise of supervisory activity.
With regard, in particular, to the relationship with payment service users, the Bank of Portugal is attentive to the way in which payment service providers have been implementing processes and mechanisms of protection that complement the information provided in the context of the use of payment services.
Thus, with regard to points 92 to 98 of the Guidelines, the Bank of Portugal understands the importance of reinforcing that payment service providers adopt the following procedures: