The European Banking Authority released a follow-up report on ICT risk assessment under the SREP, highlighting progress driven by DORA implementation and ongoing needs for consistent supervision across the EU.
The European Banking Authority (EBA) has published a follow-up to its 2022 peer review report on ICT risk assessment under the supervisory review and evaluation process (SREP).
The report indicates that competent authorities have made notable progress in strengthening ICT risk assessment, largely due to the implementation of the Digital Operational Resilience Act (DORA). However, further work and investment are needed to ensure consistent and effective ICT risk supervision across the European Union (EU).
The follow-up reviewed recommendations from 2022, including benchmarking questions, and assessed progress since the application of DORA began in January 2025. It also considers the upcoming integration of ICT SREP Guidelines into the revised SREP Guidelines, a key recommendation from the 2022 report.
The findings show that authorities are improving their ICT supervisory capacity, using horizontal analyses, and applying supervisory tools systematically. There has been progress in the use of ICT risk sub-categories, now broadly adopted by almost all authorities.
The report encourages authorities to fully integrate ICT risk methodologies and sub-categories into supervisory processes and to continue efforts to enhance supervisory convergence and operational resilience across the EU.
