ECB Cyber Resilience Stress Test 2024: What 109 Banks Revealed About Recovery Gaps

The Supervisory Context

The ECB's cyber stress test was conducted against the backdrop of an escalating cyber threat landscape and the approaching DORA application date of January 17, 2025. According to the ECB's published rationale, several factors drove the decision to conduct this first-of-its-kind exercise:

Threat environment factors cited by the ECB:

• The increasing frequency and sophistication of cyberattacks targeting financial institutions, including ransomware campaigns, supply chain compromises, and state-sponsored operations.
• The growing interconnectedness of financial institutions with ICT third-party service providers, creating systemic exposure to single points of failure.
• The geopolitical context, with the ECB noting that cyber threats had intensified in the context of geopolitical tensions.

Regulatory alignment:

The timing was deliberate. According to ECB publications, the cyber stress test was designed to complement the DORA regulation's implementation timeline. The exercise tested capabilities that DORA would formally require from January 2025 onward, providing both a baseline assessment and a supervisory signal about expected standards.

Exercise design (as publicly described by the ECB):

• All 109 directly supervised significant institutions participated.
• The core scenario involved a severe cyberattack resulting in disruption of critical services.
• Banks completed a questionnaire-based self-assessment covering their response and recovery frameworks.
• A subset of banks underwent a more intensive assessment with on-site validation of their stated capabilities, including evidence review and interviews with key personnel.
• The exercise assessed organizational readiness (governance, roles, escalation), technical readiness (backup integrity, system restoration, data validation), communication readiness (internal escalation, regulatory notification, customer communication), and business continuity (manual fallback procedures, alternative processing arrangements).

According to ECB Vice-Chair Frank Elderson, as quoted in the ECB's press release: "This stress test is an important milestone in the supervisory landscape. It provides insights into the recovery capabilities of banks in the event of a severe cyber incident."

The First Supervisory Cyber Stress Test

In 2024, the European Central Bank (ECB) Banking Supervision conducted its first dedicated cyber resilience stress test. According to the ECB's press release of July 26, 2024, the exercise covered 109 directly supervised banks and was designed to assess how banks would respond to and recover from a severe but plausible cybersecurity incident.

The stress test scenario, as described in ECB publications, postulated a successful cyberattack that bypassed preventive measures and caused significant disruption to the bank's core systems. The exercise was not about testing whether banks could prevent attacks — it explicitly assumed that prevention had failed — but rather how effectively they could respond, continue critical operations, and restore normal service.

According to the ECB's published summary:

• Banks were required to demonstrate their incident response activation procedures, including how they would classify the severity of the attack, escalate internally, and notify relevant authorities.
• Banks had to show how they would maintain critical business functions during the disruption, including payment processing, customer access, and regulatory reporting.
• Banks were tested on their recovery capabilities, including the ability to restore systems from backups, validate data integrity after restoration, and return to normal operations within their stated recovery time objectives.
• Communication plans were assessed, including how banks would communicate with customers, counterparties, regulators, and the media during and after the incident.

The ECB's stated objective was to identify areas for improvement, not to assign pass/fail grades or impose automatic supervisory consequences. However, findings from the exercise would feed into the ongoing Supervisory Review and Evaluation Process (SREP).

Key Findings and DORA Alignment

According to the ECB's published results and subsequent communications, the cyber stress test revealed several areas of strength and areas requiring improvement across the 109 participating banks.

What the ECB Found (Publicly Reported)

Areas of relative strength:

• Most banks had established incident response frameworks with defined roles, escalation procedures, and communication protocols.
• Most banks had dedicated cybersecurity teams and had invested in detection and prevention capabilities.
• Most banks had business continuity plans that addressed cyber scenarios at a general level.

Areas identified for improvement (as publicly stated by the ECB):

• Recovery capabilities: The ECB noted that while banks had response frameworks, their ability to actually recover systems — restore from backups, validate data integrity, and resume normal operations within stated RTOs — showed more significant variation and, in some cases, material gaps.
• Backup procedures: Some banks' backup arrangements were not fully adequate for the scenario tested. Questions arose about backup isolation (whether backups themselves could be compromised in a sophisticated attack), backup testing frequency, and the time required to restore from backups at scale.
• Communication plans: The ECB identified room for improvement in how banks would communicate with external stakeholders during a crisis, including customers, counterparties, and regulatory authorities. Some communication plans were found to be generic rather than tailored to cyber-specific scenarios.
• Third-party dependencies: Recovery plans did not always adequately account for dependencies on ICT service providers, including scenarios where the third-party provider itself was compromised or unavailable.

Direct Mapping to DORA Requirements

The ECB's findings map directly to DORA's Pillar III (Digital Operational Resilience Testing) and Pillar I (ICT Risk Management) requirements:

• Art. 24(1): Financial entities must establish "a sound and comprehensive digital operational resilience testing programme." The ECB stress test revealed that many banks' testing programmes had not adequately addressed recovery from severe cyber incidents.
• Art. 25(1): Testing must cover "an assessment of the preparedness for handling ICT-related incidents." The gaps found in communication plans and recovery procedures indicate that this assessment requirement has real substance.
• Art. 11(4): ICT business continuity plans must include "restore and recovery procedures" that are "necessary to re-establish the ICT systems and data of the financial entity." The ECB found this to be an area where significant improvement was needed.
• Art. 12(2): Backup policies must ensure that backups are "sufficiently separated from the ICT system they back up" and "protected against unauthorized access or ICT corruption." The findings around backup adequacy speak directly to this requirement.
• Art. 11(7): Business continuity plans must be "reviewed at least once a year" and tested. The ECB exercise itself serves as a model for what DORA-compliant testing should encompass.

Published Outcomes and Supervisory Impact

According to the ECB's press release of July 26, 2024, and subsequent publications:

• The ECB shared individual feedback with each participating bank, identifying specific areas for improvement. These findings were integrated into the ongoing SREP (Supervisory Review and Evaluation Process) for each institution.
• The ECB stated that, overall, the exercise showed that banks had room for improvement in their ability to recover from a severe cyberattack, even where response frameworks were in place.
• The ECB did not publish institution-specific results but provided aggregate findings to the industry.
• The exercise was characterized as a baseline assessment that would inform future supervisory expectations, particularly in the context of DORA implementation.

Supervisory follow-up (as publicly communicated by the ECB):

• Banks identified as having material gaps were expected to develop remediation plans and would be subject to supervisory follow-up.
• The ECB indicated that cyber resilience testing would become a regular component of the supervisory toolkit, consistent with DORA's requirements for ongoing resilience testing programmes.
• The exercise informed the ECB's supervisory priorities, with digital operational resilience remaining a key focus area for 2025 and beyond.

Industry reaction (as reported in press):

• Banking industry associations acknowledged the exercise as constructive, noting that it highlighted the difference between having plans on paper and having operationally validated recovery capabilities.
• Several banks publicly stated that the exercise had prompted investments in backup architecture, incident response exercising, and communication protocol improvements.
• Cybersecurity advisory firms noted that the exercise had accelerated demand for operational resilience consulting services ahead of the DORA application date.

The ECB's 2024 cyber stress test represents the first large-scale supervisory validation of DORA-relevant capabilities. Its findings — particularly around recovery gaps — provide empirical evidence that the regulation's emphasis on testing, recovery, and business continuity is well-founded and addresses real capability shortfalls in the European banking sector.