The European Banking Authority has released a follow-up report on ICT risk assessment under the supervisory review process, highlighting progress and ongoing needs across EU authorities since 2022.
The European Banking Authority (EBA) has published a follow-up to its 2022 peer review report on ICT risk assessment under the supervisory review and evaluation process (SREP).
The report shows that competent authorities have made notable progress in strengthening ICT risk assessment, largely driven by the implementation of the Digital Operational Resilience Act (DORA). However, further work and investment are needed to ensure consistent and effective ICT risk supervision across the European Union (EU).
The follow-up reviewed recommendations from 2022, including benchmarking questions, and assessed progress since the application of DORA began in January 2025. It also considers the upcoming integration of ICT SREP Guidelines into the revised SREP Guidelines, a key recommendation from the 2022 report.
The findings indicate that authorities are improving their ICT supervisory capacity and expertise, using horizontal analyses, and applying supervisory tools systematically. There has been improvement in the use of ICT risk sub-categories, now broadly implemented by nearly all authorities.
The report encourages authorities to fully integrate ICT risk methodologies and sub-categories into supervisory processes and to continue efforts to enhance supervisory convergence and operational resilience across the EU.
Legal basis and background information are available in the full report.
