ICT Risk Is Now Embedded in SREP: What the EBA’s 2026 Follow-Up Means

February 2026 | Regulatory Intelligence Insight

In February 2026, the European Banking Authority (EBA) published its follow-up to the 2022 peer review on ICT risk assessment under the Supervisory Review and Evaluation Process (SREP). The report confirms a structural shift in European banking supervision: ICT risk, under the Digital Operational Resilience Act (DORA), is now being fully embedded into the core prudential supervisory framework.

This is not a technical update.
It represents architectural consolidation of ICT risk within EU banking supervision.

1. From Parallel ICT Review to Embedded Prudential Risk

Historically, ICT risk assessment under SREP was governed by standalone ICT SREP Guidelines. The 2026 follow-up confirms that these guidelines will be repealed and integrated into the revised SREP Guidelines, with ICT risk embedded directly within operational risk assessment.

Under the revised framework:

• ICT risk is assessed pursuant to DORA requirements.
• ICT risk becomes part of consolidated operational risk scoring.
• Institution-specific DORA-related indicators will be incorporated into supervisory monitoring frameworks.
• ICT risk assessment will follow the minimum SREP engagement model.

This integration fundamentally changes the supervisory posture. ICT risk is no longer treated as a specialised or parallel compliance stream. It becomes a core component of prudential supervision with potential implications for supervisory dialogue and capital considerations.

2. DORA as Supervisory Infrastructure

The EBA report explicitly acknowledges that the application of DORA from January 2025 has reshaped ICT supervision across the EU.

DORA establishes harmonised requirements for:

• ICT risk management governance and controls
• ICT incident classification and reporting
• Digital operational resilience testing (including threat-led penetration testing)
• ICT third-party risk management
• Oversight of critical ICT third-party providers

Importantly, several regulatory technical standards now transform previously uneven practices into binding and directly applicable requirements.

The 2026 follow-up confirms that supervisory authorities have:

• Strengthened ICT-specific capacity and expertise
• Established or expanded dedicated ICT/DORA supervisory units
• Conducted horizontal benchmarking and sector-wide surveys
• Aggregated ICT third-party registers at EU scale
• Increased automation in incident reporting and supervisory tools

This signals a move from interpretive supervision to harmonised, indicator-based supervision.

3. Horizontal Benchmarking and Convergence

One of the most significant developments is the expansion of horizontal supervisory analysis.

Supervisors are increasingly:

• Conducting sector-wide DORA readiness surveys
• Benchmarking institutions against peers
• Aggregating ICT third-party service registers
• Identifying systemic patterns through incident reporting analysis
• Automating data collection and validation processes

The report confirms that ICT risk sub-categories and risk scenarios are now broadly implemented across Member States, with only isolated gaps remaining.

This matters for institutions because supervisory exposure becomes comparative rather than isolated.

ICT risk management maturity will be assessed not only on internal consistency but also against peer benchmarks within the EU.

4. The Integration of ICT Risk into Operational Risk

Under the revised SREP Guidelines, ICT risk will be embedded within operational risk assessment (Title 6). When assessing operational risk, competent authorities must evaluate ICT risk pursuant to DORA and consider its potential impact on critical or important functions, including financial, reputational, regulatory, and strategic impact.

The framework will also integrate institution-specific DORA indicators into supervisory monitoring systems.

This represents a shift toward:

• Indicator-driven oversight
• Continuous monitoring
• Enhanced proportionality
• Consolidated supervisory assessment rather than parallel tracks

In practical terms, ICT governance, third-party risk management, incident management capability, and operational resilience testing will be evaluated within a prudential supervisory context rather than solely within compliance silos.

5. What This Means for Financial Institutions

The 2026 follow-up does not introduce new regulatory obligations beyond DORA. However, it confirms a structural hardening of supervisory expectations.

Three implications stand out:

ICT Risk Is Prudentially Relevant

ICT risk is now embedded in the supervisory architecture that influences ongoing supervisory dialogue and operational risk evaluation.

Supervisory Convergence Is Advancing

National approaches are being harmonised under DORA and revised SREP integration. This reduces interpretive flexibility and increases standardisation.

Indicator-Based Supervision Is Expanding

The use of data collection tools, benchmarking, automated validation engines, and DORA-related indicators suggests a transition toward measurable supervisory oversight.

Institutions should therefore view ICT risk management not only as regulatory compliance but as structured supervisory positioning within an increasingly harmonised European framework.

6. Forward Outlook

The EBA concludes that significant progress has been made, while continued investment in expertise, horizontal analysis, and supervisory tools remains essential.

Looking ahead, the direction of travel is clear:

• ICT risk is embedded within prudential supervision.
• Supervisory convergence across the EU is accelerating.
• DORA provides the structural baseline for digital operational resilience.
• Monitoring frameworks are becoming more data-driven.

This marks a consolidation phase in European digital operational resilience supervision.

Financial institutions operating within the EU should align governance, control frameworks, and third-party oversight models with this embedded supervisory architecture.

Sources

• European Banking Authority (EBA), Peer Review Follow-Up Report on ICT Risk Assessment under the SREP (EBA/REP/2026/05), February 2026.
• Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA).
• Draft Revised SREP Guidelines (EBA consultation).

REG-DIGITAL monitors supervisory convergence developments across DORA, SREP and ICT risk frameworks to support institutions in aligning with evolving European regulatory architecture.

---