The European Banking Authority has published a follow-up peer review of how EU competent authorities assess information and communication technology (ICT) risk within the Supervisory Review and Evaluation Process (SREP). The report finds notable improvements since the 2022 review, largely linked to the application of the Digital Operational Resilience Act (DORA), but concludes that further work and continued investment are still needed to deliver consistent and effective ICT risk supervision across the EU. The follow-up revisited the 2022 recommendations and included a targeted review of relevant benchmarking questions, drawing primarily on related supervisory convergence work. It reports enhanced ICT supervisory capacity and expertise, increased use of horizontal analyses and more systematic application of supervisory tools, with the ICT risk sub-categories now broadly implemented by almost all authorities. The report encourages competent authorities to fully integrate ICT risk methodologies and ICT risk sub-categories into their supervisory processes and to continue efforts to strengthen supervisory convergence and operational resilience. The assessment was conducted in light of DORA applying since January 2025 and the forthcoming integration of the ICT SREP Guidelines into the revised SREP Guidelines.
European Banking Authority 2026-02-23
European Banking Authority follow-up peer review reports progress in ICT risk assessment under SREP and urges further supervisory convergence under DORA
The European Banking Authority's follow-up peer review highlights improvements in EU authorities' ICT risk assessment within the Supervisory Review and Evaluation Process, attributed to the Digital Operational Resilience Act. Despite progress, the report calls for further investment to ensure consistent ICT risk supervision across the EU. It urges authorities to fully integrate ICT risk methodologies and enhance supervisory convergence and operational resilience.