The EBA publishes follow-up Report on ICT risk assessment under the Supervisory Review and Evaluation Process

The European Banking Authority (EBA) today published the follow-up to its 2022 peer review report on ICT risk assessment under the supervisory review and evaluation process (SREP). The follow-up Report shows that competent authorities have made notable progress in strengthening ICT risk assessment, driven largely by the implementation of the Digital Operational Resilience Act. At the same time, further work and continued investment remain necessary to ensure consistent and effective ICT risk supervision across the European Union (EU).

The follow-up exercise reviewed the recommendations issued to competent authorities in 2022, including a targeted follow-up on relevant benchmarking questions. It assessed progress in light of the application of DORA since January 2025, and the forthcoming integration of the ICT SREP Guidelines into the revised SREP Guidelines - one of the key recommendations of the 2022 report. In conducting this review, the EBA primarily relied on related supervisory convergence work.

The findings confirm that competent authorities are enhancing their ICT supervisory capacity and expertise, increasingly using horizontal analyses, and systematically applying supervisory tools. In relation to benchmarks, improvement was observed in the use of the ICT risk sub-categories, which are now broadly implemented by almost all authorities.

More broadly, the Report encourages competent authorities to fully integrate ICT risk methodologies and ICT risk sub-categories into supervisory processes, along with continued efforts to enhance supervisory convergence and operational resilience across the EU.

Legal basis and background

The follow-up Peer Review has been conducted in accordance with Article 30 of the EBA Regulation (Regulation (EU) No 1093/2010), which requires a review committee to prepare a follow report two years after the publication of the initial peer review and submit it to the Board of Supervisors. The follow-up report shall include an assessment of, but not be limited to, the adequacy and effectiveness of the actions undertaken by the competent authorities that are subject to the peer review in response to the follow-up measures of the peer review report.