In an era when customers expect banking services to be seamless and available around the clock on any device, the resilience of information and communications technology (ICT) systems has become the backbone of the financial sector. A recent address by the European Central Bank (ECB) emphasized the critical need for banks to develop ICT systems that are both resilient and secure—two intertwined pillars that ensure the stability and trustworthiness of the entire financial ecosystem.
What happens when a core banking system fails?
Imagine it is 3 a.m., and a key data centre suddenly goes offline. Perhaps a regional flood has damaged critical infrastructure. In these moments, delays cascade: payments stall, decisions are made with incomplete information, and confidence in one institution quickly deteriorates into broader distrust across the financial system. Such scenarios underscore why ICT resilience is not just an IT concern but a matter of financial stability.
Safety and security: Two sides of resilience
The ECB’s message is clear: true ICT resilience encompasses two inseparable elements—safety and security.
-
Safety refers to the ability of ICT systems to operate reliably and continuously, ensuring that critical banking services remain accessible and that the data they generate is accurate and timely. This means that even in the face of hardware failures, natural disasters, or human errors, banks must maintain uninterrupted services and trustworthy data.
-
Security focuses on protecting these systems and data from the ever-evolving landscape of cyber threats. From sophisticated ransomware attacks to state-sponsored intrusions, banks must maintain robust cyber defences to safeguard data integrity and operational continuity.
Together, safety and security form the foundation of a resilient banking sector capable of withstanding unexpected shocks without compromising customer trust or financial stability.
Strengthening safety through robust systems and governance
Ensuring operational safety requires banks to go beyond simply preventing outages. They must develop comprehensive recovery strategies, maintain backup systems, and rigorously test these processes to ensure rapid recovery from disruptions. Importantly, the reliability of data—especially risk data—is paramount. Banks need modern data architectures that integrate multiple data streams into unified platforms with automated checks to flag anomalies quickly.
Governance plays a crucial role as well. The ECB demands that ICT risk and resilience be managed at the highest levels within banks, with boards taking direct responsibility for setting risk appetite and overseeing resilience metrics. Persistent failures, such as delays in consolidated risk reporting, will prompt supervisory intervention to enforce remediation.
A major challenge lies in the prevalence of legacy systems that, while functional, lack the flexibility and integration needed in today’s digital environment. Upgrading these systems is vital to ensuring long-term operational safety.
Enhancing security amid evolving cyber threats
Cybersecurity remains a top priority as banks face increasingly sophisticated and targeted attacks. The rise of ransomware and state-sponsored threats requires continuous investment in advanced detection, response, and recovery capabilities. Supervisory expectations are high: complacency is not an option.
The shift to cloud services and reliance on third-party providers introduces new operational dependencies. While cloud platforms generally maintain strong security, overdependence on a single provider or overly simplified integration patterns can create vulnerabilities and operational risks. Banks must manage these third-party risks carefully, with clear exit strategies and contingency plans.
The Digital Operational Resilience Act (DORA), a recent EU regulatory framework, strengthens requirements around incident reporting, cyberattack preparedness, and third-party risk oversight. The ECB, alongside national authorities, is committed to rigorous implementation of DORA to ensure a harmonized and elevated level of digital resilience across the financial sector.
A collaborative approach to resilience
The ECB is not only raising the bar for banks but also enhancing its own operational resilience. Recent exercises tested the readiness of supervisory authorities and banks for system-wide cyber incidents, with plans to expand these drills in coming years, including broader EU cooperation.
Conclusion: Banking is now fundamentally an IT business
The central takeaway is that banking has become fundamentally dependent on ICT. Resilience is no longer optional—it is a competitive imperative and a regulatory necessity. Boards must champion resilience cultures, invest in modern infrastructure, and treat every employee’s actions as integral to safeguarding the financial ecosystem.
When a core system fails at 3 a.m., the question is not whether disruption will occur, but how prepared banks and supervisors are to respond swiftly and effectively. The ECB’s firm stance and evolving regulatory framework aim to ensure that the answer is clear: the European banking sector is ready.
