Upgrading banks’ capacity to deal with digital risks

Contribution by Anneli Tuominen, Member of the Supervisory Board of the ECB, for Eurofi Magazine

Frankfurt, 24 March 2026

Digitalisation is improving banks’ efficiency, but it is also bringing about threats to their operational resilience. Such threats have been compounded by escalating geopolitical tensions, which have been associated with the rising number of cyberattacks reported by banks in recent years. The ECB has long recognised banks’ operational resilience as a key area for improvement in the digital age. In recent years we have conducted a number of initiatives to help banks meet the challenges in this domain, including targeted reviews and on-site inspections on information technology security and outsourcing, as well as a cyber resilience stress test. More recently, our work in this field has been supported by a new EU regulation designed to keep digital risks in the financial sector in check: the Digital Operational Resilience Act (DORA), which came into effect in January 2025. I will now outline the supervisory benefits which this regulation has brought about so far and highlight the work still to be done in order to strengthen banks’ capacity to deal with digital risks.

A growing focus on change management risk

First, DORA has improved our supervisors’ ability to detect the operational information and communications technology (ICT) disruptions which banks routinely face, by establishing a broader reporting framework that is no longer limited to cyber incidents. With this new framework in place, we could see that 38% of the major incidents reported by banks in 2025 had “IT change” as their root cause. The growing number of ICT projects undertaken by banks and the complexities of running their operations effectively are contributing to exposing weaknesses in banks’ change management processes and related controls. So while the silver lining is that there is a growing awareness among banks on the need to embrace new technologies and modernise their ICT infrastructure, it is also necessary to strengthen processes and controls so that banks can meaningfully reduce unplanned downtime in their ICT networks. This will be a key focus of supervisory attention for the ECB.

Increased oversight of third-party dependencies

Second, DORA has enabled our supervisors to have a better handle on banks’ third-party dependencies. This aspect is particularly important as banks’ reliance on a handful of third parties offering cloud services has been increasing sharply in recent years, as proxied by the growing weight of cloud service-related expenses in banks’ total IT budget (rising from around 4% in 2021 to 17% in 2025). DORA requires financial institutions to assess and monitor third-party risks, establish clear contractual agreements and maintain strict controls over third-party arrangements. However, the experience thus far suggests that some banks are lagging behind when it comes to meeting these requirements, particularly in areas such as contract renegotiations with third-party providers and business continuity planning. We are therefore impressing on banks the need for them to close the remaining gaps promptly, which we will check through our on-site campaign on ICT third-party risk management. Moreover, to help keep in check the risks that critical ICT third-party service providers could pose to the broader financial sector, DORA introduces a comprehensive oversight framework for such parties at EU level. This framework, led by the three European Supervisory Authorities and to which the ECB is contributing through a team of dedicated staff, has been fully operational since January 2026, covering a total of 19 critical third-party service providers. Going forward, aspects such as subcontracting and how critical ICT services are provided to financial institutions will be a key point of attention of the oversight framework, with a view to preventing potential systemic impacts arising from service disruptions.

Ethical hacking and adapting to new technologies

Third, DORA requires certain types of banks designated as systemically important at either the global or domestic level to perform, at least once every three years, advanced security testing using external “ethical hackers” who will try to compromise their IT systems. Unlike traditional tests that look for technical vulnerabilities in specific applications, this threat-led penetration testing (TLPT) replicates the tactics, techniques and procedures of real world threat actors to test banks’ live systems. Thanks to such tests, banks will be able to learn how to enhance their cyber resilience strategy, and the test outcomes will inform banks’ and supervisors’ holistic view on banks’ cyber posture. The ECB will be responsible for managing these TLPTs for directly supervised entities and has published a dedicated guide to explain how it intends to implement TLPT in accordance with DORA. The first three-year cycle of tests has already started, and more than 80 banking groups have been notified.

Looking ahead, the common challenge for banks and their supervisors stemming from the new DORA framework is to keep abreast of technological innovation, enabling banks to continue to exploit the benefits of such technologies while fending off the risks that these might pose and allowing supervisors to engage in meaningful dialogue with their supervised entities.