EBA finds progress in ICT risk supervision as DORA reshapes the landscape
Two years ago, Europe’s banking supervisor warned that oversight of technology risk needed to step up a gear. Now, as the Digital Operational Resilience Act (DORA) takes root, the regulator finds that supervisory teams in member states are better placed to deal with these issues.
The European Banking Authority (EBA) has published a follow-up to its 2022 peer review on ICT risk assessment under the Supervisory Review and Evaluation Process (SREP), concluding that notable improvements have been made across the European Union.
The review comes against a backdrop of significant regulatory change. The EU’s Digital Operational Resilience Act (DORA), in force since January 2025, has introduced a single framework for managing ICT risk across the financial sector and embedded digital resilience firmly within supervisory practice through revised SREP guidelines.
The European Banking Authority (EBA) reports that authorities are strengthening specialist ICT teams, expanding training, with more than 2,000 supervisors participating in the EU Supervisory Digital Finance Academy, and making greater use of sector-wide surveys, incident data and, for the first time in 2025, aggregated registers of ICT third-party providers. Most authorities now have dedicated ICT risk methodologies in place, and use of risk sub-categories has improved, though (naturally) some gaps remain.
Overall, the EBA sees clear progress in supervisory convergence under DORA, while emphasising that continued investment in expertise, horizontal analysis and supervisory tools will be essential as technology risks continue to evolve.
As ICT risk becomes more central to prudential supervision, the EBA continues to emphasise that DORA is an important step in the right direction, bringing much needed clarity and transparency to an increasingly important pillar of global finance.
Read the report here.
