- THE SUPERVISION BLOG
Operational resilience in the digital age
17 January 2025
Digitalisation is leading to efficiency gains for banks and improved services for their customers, but it is also bringing threats to operational resilience in the financial sector into sharper focus. The EU has developed a new regulation to keep these digital threats in check, that applies as of today. This blog post discusses how the new regulation makes the financial sector more resilient and outlines the implications for banks and their supervisors.
The implementation of the EU’s new Digital Operational Resilience Act, or DORA, is timely. Banks’ reliance on digital technologies and information and communication technology (ICT) third-party service providers leaves them operationally vulnerable, in a context where the number of reported cyber incidents has doubled in recent years (Chart 1). Banks typically depend on a handful of large ICT service providers that also have a significant presence in other areas of the financial sector. But these third-party service providers are not necessarily financial entities themselves, which means they are subject to a different kind of supervisory and regulatory regime. Vulnerabilities in their operations could therefore disrupt banking services, with potentially large and negative knock-on effects for both the financial sector and the real economy.
The EU’s new regulation harmonises the rules relating to digital operational resilience that apply to different types of financial entities, such as banks, insurance companies and investment firms, as well as to external ICT third-party service providers. This has three main implications for banks and their supervisors.
Chart 1
Number of cyber incidents reported to the ECB by significant banks

Source: ECB Banking Supervision.
Strengthening the incident reporting framework
First, DORA will strengthen the incident reporting framework for banks. Until now, banks in the EU have had to comply with a number of competing, and sometimes overlapping, requirements when reporting cyber and IT-related incidents. The ECB had its own cyber incident reporting framework, which is now being phased out. The national frameworks of some EU Member States participating in the Single Supervisory Mechanism were sometimes wider in scope and also covered other types of IT or operational incidents. Outside the remit of European banking supervision, other Member States also had their own reporting requirements for banks. And in addition to all of these, the EU regulation for electronic payment services required many banks to report payment-related incidents separately.
The new incident reporting framework introduced under DORA harmonises all of these requirements in a single framework, easing the reporting requirements for banks while ensuring that different authorities across the EU dealing with IT and cybersecurity risk have access to information in a consistent format. In turn, this will make it easier for these stakeholders to exchange information in the event of a crisis, for example in the context of the systemic cyber incident coordination framework, which is already in place at the European level and in which the ECB also participates.
Chart 2
Overview of the type and number of cyber incidents reported to the ECB by significant banks

Source: ECB Banking Supervision.
Beyond fostering crisis preparedness, the main benefit of the new incident reporting framework from a prudential perspective is that it will include a broader set of ICT-related indicators than the ECB’s cyber incident reporting framework (Chart 2), as it also covers non-cyber incidents. This will give supervisors a better grasp of the digital operational resilience risks the banks are facing.
Enhancing banks’ preparedness to deal with cyberattacks
Second, DORA will lead to an improvement in banks’ preparedness to deal with cyberattacks. The new regulation requires several types of banks to perform advanced security testing using external “ethical hackers” who will try to break into their IT systems. Banks will be able to learn from this threat-led penetration testing (TLPT) and enhance their cyber resilience strategy as a result. Similarly, supervisors will have a new tool at their disposal and will be able to use the TLPT findings when conducting supervisory processes.
DORA requires global systemically important institutions and other systemically important institutions, as well as their respective group entities, to perform TLPTs at least every three years (or more regularly, at the competent authority’s discretion). This means that more than two-thirds of the banks under the ECB’s direct supervision will be affected by these tests. The ECB will be responsible for managing these TLPTs and certifying that banks are meeting the requirements. This will therefore have a significant impact on our supervisory activities in the future, including capacity building on IT risk management.
Keeping a closer eye on third-party risks
Third, DORA will enable supervisors to keep a closer eye on third-party risks. To this end, and to keep in check the risk that critical ICT third-party service providers could pose to the broader financial sector, these providers will now be subject to oversight at EU level. One of the three European supervisory authorities will lead this oversight: the European Banking Authority, the European Insurance and Occupational Pensions Authority, or the European Securities and Markets Authority. The ECB will participate in these oversight activities by contributing resources to the joint examination teams that will be established for each critical ICT third-party service provider.
Moreover, DORA will bring improvements in the monitoring of third-party ICT arrangements provided specifically by ICT service providers by introducing a new unified register of information for all related contracts. This will harmonise banks’ reporting in this area and ensure that there is a single data collection point for ICT third-party dependencies, ensuring continuity in reporting processes, tools and data management.
The way forward
Overall, the implementation of DORA is an important step in cementing the digital operational resilience of the financial sector in Europe. The current fragile geopolitical environment makes our societies more vulnerable to hybrid threats including sophisticated cyberattacks, with the banking sector being no exception. Banks and supervisors must therefore remain vigilant and be alert to the possibility of these risks materialising in the future. DORA will make this task easier than before. Investing in IT security and sound IT and ICT risk management is expensive, but there is no alternative if banks’ business models are to remain viable.
Check out The Supervision Blog for future posts.
For topics relating to central banking, why not have a look at The ECB Blog?