Anneli Tuominen, ECB Supervisory Board member, emphasizes in Eurofi Magazine that digitalisation has increased banks’ efficiency but also exposed them to growing operational and cyber risks, amplified by geopolitical tensions. The ECB has long focused on operational resilience, conducting targeted reviews, on-site inspections, and cyber resilience stress tests. The Digital Operational Resilience Act (DORA), effective since January 2025, has further strengthened supervisory tools to manage these risks.
Tuominen highlights three key areas of progress:
- Change Management Risk: DORA’s expanded reporting framework has revealed that 38% of major ICT incidents in 2025 originated from IT changes. The ECB is focusing on improving banks’ processes and controls to reduce unplanned downtime and enhance resilience.
- Third-Party Dependencies: Banks’ reliance on cloud service providers has surged (from 4% of IT budgets in 2021 to 17% in 2025). DORA requires robust monitoring, contractual safeguards, and business continuity planning. The ECB is conducting on-site reviews and contributing to an EU-level oversight framework for 19 critical ICT providers to mitigate systemic risks.
- Ethical Hacking and Innovation: Systemically important banks must conduct advanced threat-led penetration tests (TLPT) every three years, simulating real-world cyberattacks. These tests inform both banks and supervisors about cybersecurity weaknesses and guide resilience strategies.
Looking forward, the ECB stresses that the key challenge is keeping pace with technological innovation, enabling banks to benefit from new technologies while managing associated risks, ensuring ongoing dialogue between supervisors and institutions.
(bankingsupervision.europa.eu)





