EBA follow-up report on ICT risk assessment under SREP

The European Banking Authority (EBA) has published a follow‑up report to its 2022 peer review on information and communication technology (ICT) risk assessment under the Supervisory Review and Evaluation Process (SREP). The report reviews the recommendations issued to competent authorities in 2022, considering progress made following the application of the Digital Operational Resilience Act (DORA) since January 2025, and the forthcoming integration of the ICT SREP Guidelines into the revised SREP guidelines under DORA.

The EBA notes substantial progress by competent authorities in strengthening ICT risk supervision, largely driven by DORA's implementation. Improvements include enhanced supervisory capacity and expertise, greater use of horizontal analyses and more systematic application of supervisory tools. ICT risk sub categories are now embedded across almost all authorities. However, the EBA emphasises that further work and investment are still required to ensure consistent and effective ICT risk supervision across the EU. It encourages authorities to fully integrate ICT risk methodologies and sub categories into their supervisory processes and to continue efforts to promote supervisory convergence and operational resilience ahead of the forthcoming revised SREP guidelines.

Return to main website.