European Central Bank Banking Supervision sets Digital Operational Resilience Act priorities on ICT change risk, third-party dependencies and threat-led penetration testing

In a Eurofi Magazine contribution, Anneli Tuominen, a member of the Supervisory Board, explains how European Central Bank Banking Supervision is using the EU’s Digital Operational Resilience Act to sharpen supervision of banks’ digital and operational resilience, with a particular focus on ICT change management, third-party risk and cyber testing. The expanded incident reporting under the Digital Operational Resilience Act, which is no longer limited to cyber incidents, has highlighted that 38% of major incidents reported by banks in 2025 had IT change as their root cause, putting change management processes and controls on the ECB’s supervisory agenda. On third-party dependencies, the contribution notes banks’ growing reliance on cloud providers, with cloud-related expenses rising from around 4% of total IT budgets in 2021 to 17% in 2025, and reports that some banks are behind on requirements such as contract renegotiations with providers and business continuity planning. It also describes the EU-level oversight framework for critical ICT third-party service providers as fully operational since January 2026, covering 19 providers, and highlights threat-led penetration testing requirements for banks designated as systemically important, with the ECB managing these tests for directly supervised entities and having issued an implementation guide. Next steps flagged include an ECB on-site campaign on ICT third-party risk management to verify gap-closing, a continued emphasis in the EU oversight framework on subcontracting and how critical ICT services are delivered, and execution of the first three-year threat-led penetration testing cycle, for which more than 80 banking groups have already been notified.