The EBA publishes follow-up Report on ICT risk assessment under the Supervisory Review and Evaluation Process

AI Analysis

The European Banking Authority (EBA) has published a follow-up report on integrating Information and Communication Technology (ICT) risk into the Supervisory Review and Evaluation Process (SREP). This report provides updated guidance for supervisors on assessing ICT risks and digital operational resilience within financial institutions, aligning with the requirements of the Digital Operational Resilience Act (DORA).

The guidance directly affects all financial entities within the scope of DORA, including credit institutions, investment firms, payment institutions, and crypto-asset service providers. It is particularly relevant for entities subject to the SREP framework, as national supervisors will use this guidance in their evaluations.

Compliance teams should immediately review this new EBA report to understand the updated supervisory expectations for ICT risk. They must then conduct a gap analysis against their current ICT risk management, governance, and resilience frameworks to ensure alignment. Proactive engagement with internal audit and risk management functions is essential to prepare for enhanced supervisory scrutiny in upcoming SREP cycles.