EBA reports progress in ICT risk supervision, DORA drives change
The European Banking Authority (EBA) has published a follow-up report on ICT risk assessment, noting notable progress by competent authorities. Driven by DORA, further investment is needed for consistent EU-wide supervision.
DORA drives supervisory strengthening
Competent authorities have made notable progress in strengthening ICT risk assessment, largely due to the implementation of the Digital Operational Resilience Act (DORA) since January 2025. The EBA's review, a follow-up to its 2022 peer report, assessed this advancement, particularly in light of the forthcoming integration of ICT SREP Guidelines into revised SREP Guidelines.
Findings confirm enhanced supervisory capacity, increased use of horizontal analyses, and systematic application of supervisory tools.
Improvement was also observed in the broad implementation of ICT risk sub-categories by almost all authorities across the EU.
Sustained efforts for EU resilience
Despite significant progress, the EBA emphasizes that continued investment and further work are essential to ensure consistent and effective ICT risk supervision throughout the European Union.
The report encourages competent authorities to fully integrate ICT risk methodologies and sub-categories into their supervisory processes.
This includes sustained efforts to enhance supervisory convergence and operational resilience across the EU, building on the foundations laid by DORA and the revised SREP Guidelines.
The EBA underscores the importance of these ongoing efforts for the long-term stability of the financial system.
Progress, but gaps remain
The EBA's report confirms progress in ICT risk supervision, largely due to DORA, but reveals persistent gaps in consistent EU-wide implementation.
This highlights the ongoing challenge of translating regulation into uniform practice across diverse national authorities.
Achieving true digital resilience for the banking sector requires more harmonized and proactive supervisory efforts.