ECB Annual Report on Supervisory Activities 2025: What the Numbers Reveal About Digital Resilience

Key Findings: The Data Behind the Headlines

The ECB's supervisory report contained several findings that collectively paint a picture of the eurozone's digital resilience posture in the first year of DORA.

ICT Risk Management Framework Maturity

The ECB's assessment of ICT risk management frameworks (DORA Art. 5-6) found that virtually all significant institutions had adopted formal frameworks. However, the quality and operational effectiveness of these frameworks varied significantly. Common weaknesses identified included incomplete ICT asset inventories that failed to capture all critical dependencies, risk assessments that did not adequately reflect the institution's actual threat landscape, and frameworks that were documented but not consistently followed in operational practice.

The gap between documentation and practice was a recurring theme. An ICT risk management framework that exists in policy documents but is not consistently applied to operational decisions — such as vendor selection, system architecture choices, or change management processes — provides compliance without resilience. The ECB's findings suggest that many institutions had achieved the former without fully achieving the latter.

Incident Reporting Patterns

The first year of DORA's incident reporting requirements revealed significant variation in reporting practices. Institutions with mature security operations centers and well-established incident management processes reported incidents consistently, with detailed classification, root cause analysis, and remediation tracking. Other institutions appeared to underreport, raising concerns about the adequacy of their detection and classification capabilities.

The ECB noted particular challenges with the classification of incidents. DORA's classification criteria — based on duration, geographic spread, data losses, and criticality of services affected — require consistent application across institutions. The report identified cases where similar events were classified differently by different institutions, suggesting that the classification framework needed further calibration and guidance.

Third-Party Risk Management Gaps

The ECB's assessment of third-party risk management (DORA Art. 28-44) identified this as one of the areas with the most significant gaps. While institutions had compiled ICT third-party registers, these registers often did not capture the full depth of vendor dependency chains. Sub-outsourcing relationships — where a direct vendor outsources critical functions to its own third parties — were frequently missing from risk assessments.

Concentration risk analysis was particularly weak. Few institutions had conducted quantitative concentration risk assessments for their ICT service providers, and fewer still had developed credible exit strategies for their most critical vendor relationships. The practical challenge of developing an exit strategy for a major cloud provider — which would require migrating core banking applications to an alternative platform — was acknowledged but rarely addressed with actionable plans.

Resilience Testing Programme Assessment

The ECB's evaluation of resilience testing programmes (DORA Art. 24-27) found that most institutions conducted some form of resilience testing, but the scope, depth, and realism of testing varied widely. Tabletop exercises were common; full technical simulations involving actual system failover and recovery were less so. Threat-led penetration testing (TLPT) as specified in Art. 26-27 was in early stages of implementation for most institutions.

A notable finding was the gap between tested scenarios and actual incidents. Several major incidents that affected eurozone banks during 2025 — including the Iberian blackout, CrowdStrike outage effects, and various vendor disruptions — involved scenarios that were not covered by the affected institutions' resilience testing programmes. This suggests that testing programmes were not adequately informed by the evolving threat landscape.

The First DORA Report Card

On March 18, 2026, the European Central Bank published its annual report on supervisory activities for 2025 — the first full year of DORA applicability. The report, available on bankingsupervision.europa.eu, provided unprecedented transparency into the state of digital operational resilience across the eurozone's 109 directly supervised significant institutions and thousands of less significant institutions supervised by national competent authorities.

The data painted a sobering picture. While most banks had achieved formal DORA compliance at the documentation level — ICT risk management frameworks adopted, incident reporting procedures established, third-party risk registers compiled — the ECB's supervisory assessments revealed that the gap between documented frameworks and operational reality remained substantial. Banks had the right policies; the question was whether those policies were effectively implemented, tested, and maintained.

The ECB's Supervisory Review and Evaluation Process (SREP) for 2025 incorporated DORA-specific assessment criteria for the first time. These criteria examined not just whether institutions had adopted ICT risk management frameworks (Art. 5-6) but whether those frameworks were operationally effective — whether risk registers reflected actual dependencies, whether incident response capabilities had been tested under realistic conditions, whether third-party risk assessments identified material concentration risks, and whether business continuity plans addressed the specific scenarios relevant to each institution.

The report's findings on ICT incident reporting were particularly revealing. In the first year of DORA's incident reporting requirements (Art. 17-19), the volume and quality of reported incidents varied dramatically across institutions and member states. Some institutions reported dozens of incidents with detailed root cause analysis; others reported minimal incidents, raising questions about whether their detection capabilities were adequate or whether they were underreporting.

For the compliance community, the ECB's report provided the first evidence-based benchmark for DORA maturity across the eurozone. It established what "good" looks like, identified common weaknesses, and signaled the areas where supervisory attention would intensify in subsequent years.

Reading Between the Lines: Supervisory Priorities for 2026

The ECB's annual report is not just a backward-looking assessment — it is a forward-looking signal of where supervisory attention will intensify. Several themes in the 2025 report indicate priorities that will shape DORA enforcement in 2026 and beyond.

Priority 1: From Documentation to Demonstration

The report's emphasis on the gap between documented frameworks and operational effectiveness signals that future supervisory assessments will increasingly require institutions to demonstrate, not just document, their DORA compliance. Demonstrating compliance means showing that ICT risk management frameworks are operationally effective — that risk registers are current, that incident response has been tested, that third-party dependencies are actively monitored, and that business continuity plans work in practice.

This shift from "show us your policy" to "show us it works" mirrors the trajectory seen in the ASIC vs FIIG Securities case and signals that DORA enforcement is maturing from documentation review to operational verification.

Priority 2: Incident Classification Harmonization

The variation in incident classification practices identified in the report will likely drive further ECB guidance on classification methodology. Consistent classification is essential for aggregated risk monitoring — if similar events are classified differently across institutions, the ECB cannot reliably assess sector-wide incident trends, identify emerging threats, or compare institutional resilience.

Financial institutions should anticipate updated classification guidance and ensure that their incident management processes can adapt. Investment in automated classification tools — which apply consistent criteria across all incidents — may become a practical necessity as reporting volume increases.

Priority 3: Third-Party Risk Depth

The report's identification of third-party risk management as a significant gap area signals intensive supervisory attention to DORA Art. 28-44 compliance. Future SREP assessments will likely examine the depth and quality of vendor dependency mapping, the rigor of concentration risk analysis, the credibility of exit strategies, and the adequacy of contractual provisions.

Institutions should prioritize completing multi-layer dependency mapping for critical vendors, conducting quantitative concentration risk assessments, developing actionable exit strategies for their top-5 ICT dependencies, and ensuring contractual compliance with Art. 30.

Priority 4: Resilience Testing Realism

The report's finding that tested scenarios did not align with actual incidents signals that the ECB will push for more realistic and threat-informed resilience testing programmes. Testing programmes that rely on generic scenarios — "server failure," "network outage" — without incorporating current threat intelligence and recent incident patterns will be found insufficient.

DORA Art. 24 requires testing programmes to cover "a range of scenarios." The ECB's report suggests that this range must include scenarios informed by actual incidents (Iberian blackout, vendor outages, nation-state threats), emerging threats (geopolitical conflict, infrastructure concentration), and institution-specific risks (unique vendor dependencies, geographic exposures, customer concentration).

Priority 5: Board-Level Engagement

The report emphasized the importance of management body engagement with ICT risk — consistent with DORA Art. 5(2)'s requirement that the management body bear ultimate responsibility. Future SREP assessments will likely examine whether boards demonstrate genuine understanding of their institution's ICT risk profile, whether ICT risk reporting to the board is adequate and timely, and whether resource allocation decisions reflect the institution's actual ICT risk exposure.

The DORA Maturity Baseline

The ECB's 2025 supervisory report establishes the first evidence-based DORA maturity baseline for the eurozone banking sector. This baseline will serve as the reference point for measuring progress in subsequent years and for identifying institutions that are falling behind.

Maturity Distribution

The report revealed a wide distribution in DORA maturity across eurozone institutions. A small group of leading institutions — predominantly the largest systemically important banks with established cybersecurity programmes — demonstrated operational DORA compliance. They had effective ICT risk management, mature incident reporting, comprehensive third-party risk assessment, and realistic resilience testing. The majority of institutions occupied a middle ground: formal compliance achieved, but operational effectiveness still developing. A tail of institutions — particularly smaller banks and those in member states with less mature supervisory traditions — showed significant gaps in multiple DORA pillars.

This distribution is consistent with the experience of other major regulatory implementations. The first year typically achieves formal compliance; the second and third years are where operational maturity develops. The ECB's supervisory intensity will likely increase each year as expectations for operational effectiveness rise.

Cross-Pillar Observations

The report identified several cross-pillar patterns that affect DORA implementation holistically:

Data quality drives everything. The effectiveness of ICT risk management, incident classification, third-party risk assessment, and resilience testing all depend on the quality of underlying data — ICT asset inventories, vendor dependency maps, incident records, and testing results. Institutions with poor data quality struggled across all DORA pillars.

Integration between pillars is weak. Most institutions implemented DORA's pillars as separate compliance workstreams rather than as integrated components of a unified operational resilience framework. Incident learnings were not systematically fed into resilience testing scenarios. Third-party risk findings were not consistently reflected in business continuity plans. This siloed approach produces compliance but not resilience.

Resource constraints limit depth. Many institutions — particularly mid-tier banks — cited resource constraints as a barrier to deeper DORA implementation. The personnel, tools, and budget required for comprehensive ICT risk management, continuous monitoring, and realistic resilience testing exceed what many institutions had allocated. The ECB acknowledged this challenge but signaled that resource constraints would not be accepted as justification for inadequate compliance.

Implications for 2026

The ECB's report creates clear expectations for 2026: move from documentation to demonstration, deepen third-party risk analysis, enhance incident classification consistency, align resilience testing with actual threat landscape, and ensure genuine board engagement. Institutions that do not show measurable progress on these dimensions can expect intensified supervisory engagement, including potential enforcement actions under DORA Art. 50.

For the broader DORA community, the ECB's report provides the most authoritative available assessment of where European banking stands on digital operational resilience — and the distance still to be traveled.