EBA Sees Stronger ICT Risk Supervision Under DORA but Urges Further Convergence Across the EU

Key Takeaways

• DORA as Catalyst: The application of the Digital Operational Resilience Act since January 2025 has significantly shaped improvements in ICT risk supervision.
• Broader Use of ICT Benchmarks: Most competent authorities now broadly implement ICT risk sub-categories and risk scenarios, with limited gaps remaining.
• Methodologies Already Established: With one exception, all competent authorities had already established dedicated ICT risk assessment methodologies.
• ICT Embedded into Core Supervision: ICT risk assessment is being integrated into the revised SREP Guidelines, replacing standalone ICT SREP guidance.
• Further Convergence Needed: Continued investment in supervisory expertise, horizontal analysis, and tools will be critical to ensure consistent and effective ICT risk oversight across the EU.

Deep Dive

The European Banking Authority on Monday released its follow-up to a 2022 peer review examining how national supervisors assess ICT risk under the Supervisory Review and Evaluation Process, or SREP.

In a follow-up to its 2022 peer review on ICT risk assessment under the Supervisory Review and Evaluation Process, or SREP, the EBA said competent authorities across the bloc have made “notable progress” in strengthening how they assess technology and operational resilience risks. Much of that momentum, the report notes, has been driven by the arrival of the Digital Operational Resilience Act (DORA), which has applied since January 2025.

But progress is not the same as completion. Supervisory capacity is improving. Tools are being used more consistently. Benchmarks are more widely applied. Yet further work and continued investment will be needed to ensure ICT risk supervision is truly consistent and effective across the European Union.

A Check-In Two Years Later

Under Article 30 of the EBA Regulation (Regulation (EU) No 1093/2010), the Authority is required to revisit peer reviews two years after publication to assess how supervisors have responded. This latest report revisits recommendations from the 2022 review of ICT risk assessment under SREP and evaluates how prudential supervisors have acted on them.

The regulatory landscape has shifted significantly since that first review. DORA, now fully applicable, has fundamentally reshaped ICT risk supervision across the EU financial sector. At the same time, one of the key 2022 recommendations, integrating ICT risk assessment into the broader SREP framework, is now being realized. The standalone ICT SREP Guidelines are being folded into revised SREP Guidelines.

Rather than starting from scratch, the EBA relied largely on its existing supervisory convergence work to gauge progress.

Capacity Up, Convergence Still Evolving

The tone of the findings is pragmatic. Competent authorities are strengthening ICT supervisory capacity and expertise. There has been progress in the use of horizontal analyses, an important tool in identifying cross-sectoral risk trends and in the systematic application of supervisory tools.

On benchmarking, the EBA observed improvement in the use of ICT risk sub-categories and risk scenarios. These are now broadly implemented by almost all authorities, though some gaps remain.

As for dedicated methodologies for ICT risk assessment, there has been little change since 2022, largely because, with one exception, all competent authorities had already established such methodologies at the time of the original review.

In other words, the structural framework was mostly in place. The shift since then has been about embedding and operationalizing it under a new, more demanding regulatory regime.

From Guidance to Integration

Perhaps the most consequential development highlighted in the report is the integration of ICT risk assessment into the revised SREP Guidelines. That integration signals a subtle but important evolution. ICT risk is no longer treated as a specialist overlay. Under DORA, it becomes inseparable from prudential supervision itself.

The EBA is encouraging supervisors to fully integrate ICT risk methodologies and sub-categories into their supervisory processes and to continue working toward greater supervisory convergence and operational resilience across the bloc.

The follow-up report does not frame the current state of play as deficient. Instead, it positions the EU supervisory system as mid-transition.

DORA has accelerated harmonization and raised the bar. Supervisors are building expertise and refining their tools. But effective ICT risk supervision (particularly in a landscape defined by cyber threats, third-party dependencies, and complex digital infrastructures) requires sustained investment and continued coordination.

The EBA’s assessment suggests that Europe’s supervisory architecture is adapting to the DORA era. The foundations are there. The next phase will be about consistency, depth, and resilience in practice.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.