ECB Supervisory Priorities 2026-28: Digital Resilience Takes Center Stage
ECB Supervisory Priorities 2026-28: Digital Resilience Takes Center Stage
On November 18, 2025, the ECB Banking Supervision published its supervisory priorities for the 2026-2028 cycle, marking a significant shift in how the European Central Bank approaches digital operational resilience. For the first time, digital resilience is not a secondary topic nested under broader risk management — it occupies a primary position alongside credit risk, governance, and climate-related financial risks.
The timing is deliberate. With DORA's application date of January 17, 2025, approaching its first anniversary when these priorities were published, the ECB was signaling that the grace period for DORA compliance is over. The 2026-2028 priorities establish a three-year roadmap for turning DORA's regulatory text into supervisory reality.
The Three-Year Supervisory Roadmap
The ECB's supervisory priorities for digital resilience follow a clear progression from assessment to enforcement:
| Year | Focus | Key Activities | Supervisory Intensity |
|---|---|---|---|
| 2026 | Baseline assessment | DORA compliance verification, register of information review, incident reporting readiness | High — comprehensive examination cycle |
| 2027 | Operational testing | Resilience testing quality review, TLPT programme assessment, third-party oversight maturity | Very high — on-site deep dives |
| 2028 | Demonstrated resilience | Evidence of continuous improvement, response to testing findings, board governance effectiveness | Sustained — integration into SREP |
The progression from compliance verification (2026) to operational testing (2027) to demonstrated resilience (2028) mirrors the maturity journey that IBM's one-year assessment identified as the industry's primary challenge.
2026: The Compliance Verification Year
The ECB's 2026 examination plan for digital resilience focuses on three areas:
Register of Information Completeness: Joint Supervisory Teams (JSTs) will review the DORA Article 28 register of information for significant institutions. The review will assess not just the existence of the register but its completeness — including sub-contracting chains, criticality assessments, and geographic dependency mapping.
Incident Reporting Infrastructure: The ECB will test institutions' ability to classify and report major ICT incidents within DORA Article 19 timeframes. This includes simulated incident exercises during on-site inspections.
ICT Risk Management Framework Review: JSTs will assess the quality of institutions' ICT risk management frameworks under DORA Articles 5-6, including governance structures, risk appetite statements for ICT risk, and the integration of ICT risk into the overall risk management framework.
Key Examination Areas: What the ECB Will Scrutinize
Third-Party Concentration Risk
The ECB's priorities explicitly identify third-party concentration risk as a "vulnerability that requires dedicated supervisory attention." This reflects both DORA's emphasis on third-party risk management and the ECB's own analysis of the significant institution landscape, which reveals extreme concentration in cloud service provision.
The ECB's data shows that among the approximately 110 significant institutions under its direct supervision:
- Over 70% use AWS, Azure, or Google Cloud for at least one critical business function
- The top three cloud providers serve over 90% of supervised institutions
- Less than 20% have tested their exit strategies for critical cloud services
The Gulf crisis of March 2026 — occurring after the priorities were published but before the examination cycle began — will undoubtedly sharpen the ECB's focus on geographic concentration risk within the third-party assessment.
Cyber Resilience Testing
The ECB has been a pioneer in financial sector cyber testing through the TIBER-EU framework, which preceded DORA's TLPT requirements. The 2026-2028 priorities signal that the ECB will assess not just whether institutions conduct testing but the quality and scope of that testing.
Specific areas of scrutiny include:
- Whether test scenarios reflect the current threat landscape (including state-sponsored actors)
- Whether testing covers critical business processes, not just IT infrastructure
- Whether test findings are remediated with tracked action plans
- Whether the board is briefed on test results and participates in lessons learned
Board-Level ICT Governance
The priorities reference DORA Article 5 and Article 14 in the context of governance expectations. The ECB will assess whether boards:
- Have sufficient ICT expertise (directly or through advisory)
- Receive regular, meaningful reporting on ICT risks (not just annual compliance reports)
- Actively challenge the ICT risk management framework
- Hold management accountable for resilience outcomes
| Governance Dimension | ECB Expectation | Assessment Method |
|---|---|---|
| Board ICT expertise | At least one member with ICT/cyber background | Board composition review |
| Reporting frequency | Quarterly or more frequent for SIs | Board minutes review |
| Challenge function | Evidence of substantive board questioning | Interview with board members |
| Accountability | Clear escalation and consequence framework | Policy and incident review |
Integration with the SREP
The most significant structural change in the 2026-2028 priorities is the integration of digital resilience into the Supervisory Review and Evaluation Process (SREP). Currently, ICT risk is assessed as a component of operational risk within the SREP. The ECB is signaling that digital resilience will become a standalone assessment dimension.
This has practical consequences:
SREP Scoring Impact: Weaknesses in digital resilience could directly affect an institution's overall SREP score, potentially triggering capital add-ons or Pillar 2 requirements. While DORA does not directly impose capital charges, the ECB can use its supervisory discretion to impose additional requirements on institutions with inadequate resilience.
Supervisory Measures: The ECB can impose binding supervisory measures ranging from remediation requirements to restrictions on business activities. An institution with a material digital resilience deficiency could face restrictions on digital service expansion or new product launches.
Public Disclosure: The SREP process produces supervisory assessments that, while not publicly disclosed in full, inform market communications and analyst briefings. Institutions with poor digital resilience ratings will face questions from investors and rating agencies.
Implications for Significant Institutions
The ECB's 2026-2028 priorities create a clear set of expectations for the approximately 110 significant institutions under its direct supervision.
Immediate Actions (Q1-Q2 2026)
- Complete the register of information. The ECB will review registers in 2026. Incomplete registers — particularly those missing sub-contracting chains and geographic dependencies — will be flagged immediately.
- Test incident reporting readiness. Conduct internal simulations of the DORA Article 19 reporting process. If the simulation reveals that the institution cannot classify and report within 4 hours, fix the process before the ECB tests it.
- Brief the board substantively. Move beyond annual compliance reports to quarterly ICT risk briefings with metrics, scenarios, and challenge questions. The ECB will interview board members.
Medium-Term Actions (Q3 2026 - Q4 2027)
- Expand resilience testing scope. Basic DR testing is insufficient. The ECB expects scenario-based testing that covers cyber attacks, third-party failures, and operational disruptions. TLPT must be planned and scheduled for significant institutions.
- Conduct third-party deep dives. Assess critical cloud providers against DORA's requirements. Evaluate concentration risk using quantitative methods (HHI analysis) and qualitative methods (exit strategy viability).
- Build evidence management capabilities. The ECB's examination approach will require auditable evidence chains. Institutions that manage compliance through email and spreadsheets will struggle to produce the evidence that JSTs expect.
Strategic Actions (2027-2028)
- Integrate digital resilience into enterprise risk management. The ECB wants digital resilience to be a standing agenda item at risk committee meetings, not a separate compliance exercise.
- Prepare for SREP integration. Understand how digital resilience metrics will feed into the SREP scoring and ensure that the institution's capital planning accounts for potential Pillar 2 implications.
Impact on Less Significant Institutions
While the ECB directly supervises only significant institutions, its supervisory priorities influence national competent authorities (NCAs) that supervise less significant institutions (LSIs). The EBA guidelines on DORA supervision apply to all financial entities, and NCAs typically align their examination priorities with the ECB's direction.
LSIs should expect their NCAs to adopt similar examination approaches to the ECB's 2026-2028 priorities, calibrated for proportionality. The core expectation — demonstrated operational resilience, not just documented compliance — applies regardless of institution size.
Conclusion
The ECB's 2026-2028 supervisory priorities mark the transition from DORA's "compliance phase" to its "demonstration phase." The message to significant institutions is unambiguous: documenting DORA compliance was the baseline expectation for year one. Starting in 2026, the ECB will verify that compliance documentation translates into operational capability — tested, evidenced, and governed at the board level.
For institutions that have invested genuinely in operational resilience, this is validation. For those that treated DORA as a documentation exercise, it is a warning. The ECB has laid out its three-year plan. The examination teams are assembling. The real test of DORA compliance begins now.
Voir aussi: DORA's Real Test Starts Now: IBM's Assessment | AMF 2026 Enforcement Priorities | DORA Enforcement Outlook 2026
Resume en francais
Le 18 novembre 2025, la supervision bancaire de la BCE a publie ses priorites de supervision 2026-2028, elevant la resilience operationnelle numerique au rang de priorite supervisorale de premier plan. La feuille de route triennale progresse de la verification de conformite (2026) a l'evaluation des tests operationnels (2027) puis a la resilience demontree (2028). Les domaines cles d'examen incluent : completude du registre d'information (Art. 28), infrastructure de signalement des incidents (Art. 19), qualite du cadre de gestion des risques ICT (Art. 5-6), risque de concentration des tiers, qualite des tests de resilience, et gouvernance ICT au niveau du conseil. Le changement le plus significatif est l'integration de la resilience numerique dans le processus SREP comme dimension d'evaluation autonome, avec des consequences potentielles sur les exigences en capital (Pilier 2). Pour les quelque 110 institutions significatives sous supervision directe de la BCE, le message est clair : la conformite documentaire etait l'attente de base pour l'annee un. A partir de 2026, la BCE verifiera que cette conformite se traduit en capacite operationnelle.