ESMA Puts Cyber Resilience at the Heart of Its 2026 Supervisory Agenda

Key Takeaways

• Cyber Resilience Front and Center: ESMA confirmed that cyber risk and digital resilience will remain top priorities in its 2026 Union Strategic Supervisory Priorities (USSPs), extending the focus introduced under DORA in 2025.
• Supervisory Coordination Deepens: National competent authorities (NCAs) are being urged to continue proactive supervision and strengthen coordination across the EU to ensure consistent application of DORA requirements.
• Digital Risk as Systemic Risk: The renewed emphasis reflects a shift in EU financial regulation, treating technology and cyber resilience as critical to overall market stability.
• ESG Oversight Continues: ESG disclosures will remain a key supervisory theme, with regulators targeting high-risk areas and consolidating progress made since the initiative began in 2022.
• New Priorities: ESMA plans to assess additional supervisory topics in 2026 that may require heightened EU-wide oversight in the coming years.

Deep Dive

The European Securities and Markets Authority (ESMA) is doubling down on digital resilience. The EU’s markets watchdog announced that cyber risk and operational resilience will again headline its Union Strategic Supervisory Priorities (USSPs) in 2026, extending its focus on one of the most pressing challenges facing Europe’s financial system.

The priority, first introduced in January 2025 alongside the Digital Operational Resilience Act (DORA), has already prompted national regulators to sharpen their oversight of how firms manage ICT and cybersecurity risks. ESMA said it has seen “strong initial engagement” from national competent authorities (NCAs) since the initiative began, crediting proactive checks and capacity-building efforts across member states.

Now, the regulator wants supervisors to maintain that momentum. “Securing a resilient financial sector” remains essential, ESMA said, urging NCAs to continue strengthening supervision under DORA and improve coordination between national oversight and the EU-wide framework.

The renewed focus underscores a broader shift within European financial regulation, where digital resilience is no longer treated as a technical afterthought but a fundamental part of systemic stability. For financial firms, that means supervisors are likely to dig deeper into how technology risks are identified, managed, and tested, from cloud dependencies to incident response.

At the same time, ESMA signaled that its long-running emphasis on ESG disclosures isn’t going away. Since 2022, sustainability reporting has been another key USSP, and through 2025, ESMA and NCAs have been reviewing how investment firms and asset managers comply with EU rules on ESG transparency. In 2026, supervisors will focus on consolidating progress, targeting high-risk areas and ensuring consistent application of the standards across markets.

The ESMA said it may introduce new areas of supervisory attention in 2026 and beyond as it refines its Union-wide agenda. But for now, as financial markets grow ever more digital, resilience isn’t just part of compliance, it’s part of survival.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.