The European Banking Authority (EBA) released a follow-up to its 2022 peer review on ICT risk assessment under SREP, highlighting progress and ongoing needs across EU authorities.
The European Banking Authority (EBA) has published a follow-up report on ICT risk assessment under the supervisory review and evaluation process (SREP). The report reviews progress made since the 2022 peer review, noting significant advancements driven by the implementation of the Digital Operational Resilience Act (DORA).
The follow-up assessed the application of DORA since January 2025 and the upcoming integration of ICT SREP Guidelines into the revised SREP Guidelines, as recommended in 2022. The EBA relied on supervisory convergence work for this review.
Findings indicate that competent authorities are improving their ICT supervisory capacity, using horizontal analyses, and applying supervisory tools systematically. There has been notable improvement in the use of ICT risk sub-categories, now broadly adopted by nearly all authorities.
The report encourages authorities to fully integrate ICT risk methodologies and sub-categories into supervisory processes and to continue efforts to enhance supervisory convergence and operational resilience across the EU.
Legal basis and background information are available in the full report.
