The European Banking Authority found “notable progress” in how national supervisors assess information and communication technology (ICT) risk in banks’ Supervisory Review and Evaluation Process (SREP), compared with its 2022 peer review, citing DORA’s application from January 2025 and the integration of ICT risk into revised SREP guidelines.
on 23 February 2026, the report stated supervisors were strengthening capacity through dedicated ICT units and tarobtained training, increasing horizontal analysis such as surveys and thematic reviews, and building more systematic apply of supervisory tools including self-assessment questionnaires and automated data collection platforms.
DORA becomes the baseline
EBA described DORA as setting a uniform baseline for managing ICT risk, turning previously recommconcludeed or unevenly applied practices into binding requirements across the bloc.
The report sets out core pillars under the regulation, including governance and risk controls, incident reporting, resilience testing including threat-led penetration testing for certain financial entities, and management of third-party technology providers, alongside a new oversight regime for critical external providers.
Alongside DORA, EBA noted that ICT risk assessment is being integrated into the revised SREP guidelines, replacing standalone technology-focapplyd guidance and embedding the topic within operational risk supervision.
Supervisors add headcount and training
EBA reported that national competent authorities have been setting up or strengthening dedicated ICT teams, including recruiting specialists for areas such as threat-led penetration testing, and running tarobtained training programmes to raise technology and cyber skills across generalist supervisors.
It also pointed to broader European efforts to build expertise, citing the European Union Supervisory Digital Finance Academy, which it stated had trained more than 2,000 supervisors from 44 national competent authorities covering 27 member states, including on DORA, incident management, third-party risk and cybersecurity.
More benchmarking, more data
Horizontal analysis is becoming more common, EBA observed, with supervisors carrying out sector-wide surveys of DORA implementation and planning more in-depth thematic work from 2026.
A key data exercise in 2025 was the first annual collection and aggregation of “registers of information” on ICT services contracted to third-party providers across EU credit institutions, designed to give supervisors a system-wide view of outsourced technology depconcludeencies.
Supervisors are also building wider apply of automated tools, the report noted, ranging from online incident-reporting platforms and automated validation checks to an artificial innotifyigence tool applyd by a competent authority in the Netherlands to assess whether third-party contracts comply with DORA.
Laggards named
While the report concludes that most supervisors have established dedicated methodologies for ICT risk assessment, it found Hungary remains non-compliant on this benchmark, with its supervisory assessment methodology unmodifyd and an update still pconcludeing to align with DORA.
On the apply of EBA’s list of ICT risk sub-categories and scenarios, it found France fully applys the list and Sweden and Liechtenstein broadly apply it, while Bulgaria still does not and plans to do so only from 2026, leaving it non-compliant “at the time”.
What happens next
EBA judged progress strong enough that the follow-up did not warrant new recommconcludeations, but it stressed that continued investment in expertise, horizontal analysis and supervisory tools would be critical as the DORA regime matures and the revised SREP guidelines take effect.
Leave a Reply