The EBA Publishes Follow-Up Report on ICT Risk Assessment Under the Supervisory Review and Evaluation Process

The European Banking Authority’s latest follow‑up report underscores a pivotal shift in how EU supervisors address information‑technology risk. By tying progress to the Digital Operational Resilience Act, the EBA highlights that regulatory frameworks are finally catching up with the rapid digitisation of banking services. This alignment not only standardises risk assessment methods but also creates a clearer benchmark for banks striving to meet heightened resilience expectations.

In practice, the report shows that supervisory bodies have expanded their technical expertise, adopted horizontal analytical approaches, and embedded ICT‑risk sub‑categories into routine oversight. These developments are reinforced by the forthcoming integration of dedicated ICT SREP guidelines into the broader SREP package, promising a more cohesive supervisory toolkit. For banks, this translates into clearer expectations, more consistent supervisory feedback, and a stronger incentive to embed robust cyber‑risk controls throughout their operations.

Nevertheless, the EBA warns that progress is uneven and that sustained investment is required to achieve full convergence across the Union. Gaps in supervisory capacity, data sharing, and methodological consistency could expose systemic vulnerabilities if left unaddressed. Stakeholders—ranging from national regulators to banking executives—must therefore prioritise collaborative initiatives, talent development, and technology upgrades to ensure that the EU’s financial sector remains resilient against evolving cyber threats.