On 23 February 2026, the European Banking Authority (EBA) published a follow-up report (the Report) of its peer review on information and communication technology (ICT) risk assessment under the Supervisory Review and Evaluation Process (SREP).

Background

The Report is a follow-up to the EBA peer review report published in October 2022 and assesses the progress made by prudential supervisors in implementing the recommendations from the peer review report and in light of regulatory developments, notably the Digital Operational Resilience Act (DORA). The Report also assesses one of the key recommendations from the 2022 peer review report on the forthcoming integration of ICT SREP guidelines into the general SREP guidelines under DORA.

The Report

The EBA has found notable improvements with regard to the 2022 peer-review report recommendations where Member State competent authorities (NCAs) are in the process of strengthening their supervisory capacity and expertise.

Nevertheless, the Report highlights that:

  • The EBA has seen progress in the use of horizontal analysis and its integration into ICT risk supervision supported by the DORA framework. However, the Report notes that full maturity is yet to be achieved for NCAs to continue to expand automation and embed horizontal analysis into supervisory frameworks.
  • Sector-wide surveys, thematic reviews and incident reporting exercises have enabled NCAs to identify systemic vulnerabilities and promote a level playing field. While these practices are not yet fully mature, their expansion under DORA and the revised SREP guidelines is expected to further strengthen supervisory effectiveness.
  • The use of supervisory tools – such as self-assessment questionnaires, automated data collection platforms, and incident reporting systems – have become more systematic and technologically advanced supporting the objectives of DORA and the upcoming SREP framework.
  • Areas of improvement remain, particularly regarding the full integration of ICT risk methodologies and ICT risk sub-categories into supervisory manuals and processes. Th report mentions that these are expected to be addressed as NCAs finalise their alignment with DORA and the revised SREP guidelines.

The Report notes that continued investment efforts in ICT expertise, horizontal analysis and supervisory tools will be critical to ensure effective supervision under DORA and the revised SREP guidelines. The Report also mentions that the EBA will publish a report each year on the degree of convergence of the SREP.

Next steps

The findings of the Report do not necessitate any further recommendations, yet a future peer review may be warranted to assess the maturity of these developments of the implementation of a targeted ICT area.