De Nederlandsche Bank published a speech by Steven Maijoor warning that large-scale, state-sponsored cyberattacks could plausibly disrupt EU financial services, given sector interconnections and reliance on shared third-party providers. He indicated that cyber resilience will be a key focus of DNB and European Central Bank supervision in the coming years, supported by the European Digital Operational Resilience Act (DORA), which came into effect at the start of 2025. The speech highlighted that DORA makes threat-led penetration testing mandatory for the largest European financial institutions and tightens requirements for managing cyber risks in outsourcing chains, including stricter due diligence on ICT providers that may also increase scrutiny of fintech suppliers. Supervisors will also be able to inspect critical third-party ICT service providers alongside national authorities, with an expectation that large providers such as Google and Microsoft will come under EU-wide supervision and have their ability to detect and withstand cyberattacks tested. On recovery capabilities, Maijoor referred to the European Central Bank’s 2024 cyber stress test as showing room for improvement and noted that DORA introduces new requirements for continuity planning and backup policies, including rapid detection and reporting, established response playbooks, and clearly defined management roles and responsibilities. Maijoor also argued that resilience cannot be addressed firm-by-firm alone and cited Dutch nationwide contingency exercises as identifying weaknesses in information sharing between critical infrastructure providers, role allocation, and mobilisation of scarce cyber expertise. He called for governments to lead cross-sector cooperation through large-scale cyber drills and crisis-plan activation practice, and noted DNB is working with critical sectors for finance, including energy and telecommunications, drawing on information-sharing, cooperation and ethical hacking experience.

Original source View in tracker