The European Banking Authority (EBA) today repealed its Guidelines on major incidents reporting under the Payment Services Directive (PSD2) due to the application of harmonised incident reporting under the Digital Operational Resilience Act (DORA) from 17 January 2025. The repeal of the Guidelines aims at simplifying the reporting of major incidents by payment service providers (PSPs) and providing legal certainty to the market.DORA, which will start applying from 17 January 2025, introduces harmonised incident reporting requirements that apply to financial entities across the banking, securities/markets, insurance and pensions sectors. This includes most PSPs, namely credit institutions, payment institutions, e-money institutions and account information service providers. DORA also disapplies the incident reporting requirements under PSD2 for those PSPs.In that regard, to ensure legal clarity and certainty for the payment service providers covered by DORA, and to simplify the overall reporting of major incidents by PSPs, the EBA has decided to repeal its Guidelines on major incident reporting under PSD2.It is important to note that incident reporting requirements under PSD2 still apply for other types of PSPs (e.g. post-office giro institutions and credit unions) that are not covered by DORA. However, the EBA has decided to repeal the Guidelines in their entirety because:the number of such institutions is very low with no sizable market share at EU level;these PSPs operate in less than half of the EU Member States and provide services at national level only;the number and significance of incident reports received from these PSPs at EU-level is negligible.Finally, the EBA notes that those PSPs that are still subject to incident reporting requirements under the PSD2 can be subject to national incident reporting requirements, regardless of the existence of the EBA Guidelines. Competent authorities willing to retain the incident reporting approach included in the EBA Guidelines for those PSPs can continue to do so under their national legal framework or supervisory measures.
Brief
"On 17/01/2025, the European Banking Authority (EBA) issued an update regarding The EBA repeals the Guidelines on major incident reporting under the revised Payment Services Directive. The repeal aims to simplify reporting for payment service providers and provide legal certainty, as harmonised incident reporting under the Digital Operational Resilience Act (DORA) will apply from 17 January 2025."
Highlights content goes here...
Purpose:
The European Banking Authority (EBA) has repealed its Guidelines on major incidents reporting under the Payment Services Directive (PSD2) to simplify the reporting of major incidents by payment service providers (PSPs) and provide legal certainty to the market. This move aims to align with the Digital Operational Resilience Act (DORA), which introduces harmonised incident reporting requirements for financial entities across various sectors, including PSPs.
Effects on Industry:
The repeal of the EBA Guidelines will have a significant impact on the payment service provider industry, as it will simplify and harmonise incident reporting requirements. This change is expected to reduce regulatory burdens and provide clarity to the market, ultimately benefiting consumers and businesses that rely on these services. The DORA’s application from January 2025 will ensure consistency in incident reporting across the financial sector.
Relevant Stakeholders:
Payment service providers (PSPs), including credit institutions, payment institutions, e-money institutions, and account information service providers, are directly affected by this update. These entities will need to comply with DORA’s harmonised incident reporting requirements, which supersedes the PSD2 Guidelines. Other relevant stakeholders include consumers who rely on these services and national competent authorities responsible for enforcing regulatory requirements.
Next Steps:
Payment service providers subject to the repeal of the EBA Guidelines are advised to familiarise themselves with DORA’s requirements and ensure compliance by January 2025. Competent authorities willing to retain the incident reporting approach included in the EBA Guidelines can continue to do so under their national legal framework or supervisory measures.
Any Other Relevant Information:
It is essential to note that certain types of PSPs, such as post-office giro institutions and credit unions, will still be subject to incident reporting requirements under PSD2. These entities may need to continue reporting incidents in accordance with the repealed EBA Guidelines until they are fully compliant with DORA’s harmonised requirements.
