From Resilience to Reality: The EBA’s Vision for Unified ICT Risk Supervision under DORA

The European financial landscape is undergoing its most significant digital transformation since the inception of the Single Rulebook. At the heart of this shift is the Digital Operational Resilience Act (DORA), which became fully applicable in January 2025. Recently, the European Banking Authority (EBA) released a pivotal follow-up report to its 2022 peer review, examining how National Competent Authorities (NCAs) assess Information and Communication Technology (ICT) risks within the Supervisory Review and Evaluation Process (SREP).

The verdict? Progress is notable, and the "DORA effect" is real. However, while the structural foundations are largely in place, the EBA warns that the journey toward true supervisory convergence across the European Union is far from over.

1. DORA as the Great Catalyst

When the EBA first conducted its peer review in 2022, the regulatory environment for ICT risk was a patchwork of national interpretations and high-level guidelines. The arrival of DORA has acted as a powerful catalyst, forcing a harmonised approach to how banks and financial institutions protect, detect, and recover from ICT-related disruptions.

Since January 2025, the application of DORA has moved ICT risk from the periphery of "IT audits" to the core of prudential supervision. The EBA’s report highlights that DORA has provided the necessary legal weight to ensure that operational resilience is treated with the same level of scrutiny as capital adequacy or liquidity risk.

Key Shift: From Guidance to Integration

One of the most consequential findings in the latest report is the decommissioning of standalone ICT SREP guidance. Instead, ICT risk assessment is being folded directly into the Revised SREP Guidelines.

This is more than a clerical change; it represents a philosophical shift. By embedding ICT risk into the core SREP framework, the EBA is signalling that digital resilience is inseparable from a bank’s overall safety and soundness. A bank cannot be considered "stable" if its digital infrastructure is fragile.

2. The Current State of Play: Capacity and Benchmarking

The EBA’s follow-up reveals a European supervisory community that has significantly upskilled over the last 24 months.

Broader Use of Benchmarks

A major recommendation from 2022 was the need for more robust benchmarking. The EBA now observes that almost all competent authorities have broadly implemented ICT risk sub-categories and risk scenarios. This allows supervisors to compare an individual bank's resilience against its peers using a standardised "yardstick."

• Risk Scenarios: Supervisors are now using more sophisticated "what-if" scenarios, such as total cloud service provider outages or widespread ransomware attacks, to test bank responses.

• Sub-category Analysis: Rather than looking at "IT" as a monolithic block, supervisors are dissecting risks into specific areas like logical security, ICT operations, and third-party dependency.

Established Methodologies

Interestingly, the EBA found that the "structural" side of supervision was already quite mature. With only one exception, all NCAs had already established dedicated ICT risk assessment methodologies prior to the 2025 DORA deadline. The challenge has not been creating the tools, but rather sharpening them and using them consistently across different borders.

3. The Convergence Gap: Why Consistency Matters

While the "notable progress" is encouraging, the EBA’s report is laced with a pragmatic warning: supervisory capacity is not yet uniform.

In a single market, a "weak link" in one jurisdiction’s supervision can create systemic risks for the entire Union, especially given the cross-border nature of digital services and cloud outsourcing. The EBA identifies three critical areas where further work is required:

I. Investment in Expertise

The war for talent in cybersecurity and ICT risk is not limited to the private sector. National supervisors are struggling to recruit and retain the specialist expertise required to challenge the complex digital architectures of major systemic banks. The EBA urges continued investment in "supervisory brainpower" to ensure regulators aren't always one step behind the hackers.

II. Horizontal Analysis

The EBA is pushing for more "horizontal analysis", the practice of looking across the entire banking sector to identify trends, rather than looking at banks in isolation. If five different banks are all reporting increased latency issues with the same third-party provider, a horizontal view allows the supervisor to spot a systemic vulnerability before it becomes a crisis.

III. Tooling and Automation

As banks become more digitised, the act of supervision must follow suit. The EBA notes that the systematic application of supervisory tools, including automated data collection and SupTech (Supervisory Technology) will be vital for managing the sheer volume of ICT risk data generated under DORA.

4. Deep Dive: The EBA Regulation and Article 30

This follow-up wasn't just a casual check-in. Under Article 30 of the EBA Regulation (Regulation (EU) No 1093/2010), the Authority is legally mandated to revisit its peer reviews every two years.

This mechanism ensures accountability. It prevents "regulatory drift," where recommendations are made but never implemented. By revisiting the 2022 findings, the EBA has turned its original peer review from a static document into a living roadmap for reform.

5. Navigating the New Landscape: Threats and Resilience

The EBA’s assessment positions the EU as being "mid-transition." We have moved past the phase of writing the rules and are now in the difficult phase of operationalising them.

The modern threat landscape makes this transition urgent. The report highlights three specific areas that demand sustained coordination:

1. Cyber Threats: The sophistication of state-sponsored actors and organised cybercrime requires a unified defensive posture.

2. Third-Party Dependencies: With more banks moving to the cloud, the "concentration risk" of a few providers (like AWS, Azure, or Google Cloud) necessitates a cross-border supervisory approach.

3. Complex Digital Infrastructures: Legacy banking systems are being patched with modern APIs and fintech integrations, creating "hidden" risks that traditional audits might miss.

6. Conclusion: The Path Ahead

The EBA’s follow-up report is a testament to the fact that European supervisors are no longer treating ICT risk as a "technical issue" for the IT department. It is now firmly established as a "prudential issue" for the boardroom.

The transition to the DORA era is well underway. The foundations, the methodologies, the benchmarks, and the legal framework are solid. However, the EBA is clear: the next phase is about depth and consistency.

To reach the goal of a truly resilient European financial sector, NCAs must move beyond just having a methodology on paper. They must continue to invest in human expertise and collaborative tools. In the digital age, a supervisor’s effectiveness is measured not just by the rules they write, but by their ability to understand and mitigate the invisible risks of a hyper-connected world.

As the EBA suggests, the architecture is adapting. Now, the focus must remain on the practice of resilience, ensuring that when the next major digital shock hits, the EU's financial system doesn't just survive, but remains operational and trusted.