A Risk Manager's Guide to the EBA's DORA Cybersecurity Measures

Introduction

With the implementation of DORA, the EBA is intensifying its focus on cybersecurity and ICT risk management. This heightened scrutiny is a direct response to a threat landscape where operational risk is increasingly driven by cyber threats, fueled by global geopolitical tensions and a growing reliance on third‑party providers. For risk managers in financial institutions, understanding the EBA's supervisory and oversight priorities is crucial for ensuring compliance and bolstering resilience. This article outlines the specific measures the EBA is applying in this domain, based on its official communications. It assumes a working familiarity with DORA's core principles and fundamental cybersecurity concepts.

1. Enhanced Oversight of Critical ICT Third‑Party Providers (CTPPs)

A primary focus for the EBA in 2026 will be the establishment of direct oversight of Critical ICT Third‑Party Providers (CTPPs), a significant new mandate under DORA.

1.1 The Joint Oversight Framework

The EBA, alongside the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will ramp up a "joint oversight venture" of CTPPs. This joint oversight will commence in 2026 for providers that are designated as critical in 2025. In parallel, the EBA is actively working to support "supervisory convergence" among EU authorities to ensure a consistent application of DORA across the Union.

1.2 Key EBA Oversight Activities

As part of its 'Activity 4,' the EBA's oversight will involve direct engagement and detailed review of CTPPs to ensure they meet DORA's operational resilience standards. Key objectives of the EBA's oversight activities include:

• Engaging directly with CTPPs regarding their governance, strategy, and the ICT services they offer to EU financial entities.
• Conducting horizontal thematic reviews of contracts and Service Level Agreements (SLAs) between CTPPs and financial entities.
• Performing thematic deep‑dives and potential onsite inspections focused on high‑risk areas of CTPPs.
• Carrying out broader horizontal oversight, including the risk assessment for 2027 and the annual criticality assessment of third‑party providers.

1.3 Direct Implications for Financial Institutions

The EBA's oversight of CTPPs will have direct consequences for financial institutions. Competent Authorities (CAs) will be responsible for following up on the Lead Overseer's recommendations with the financial entities they supervise. Supervisors will be expected to assess the soundness of a financial entity's ICT third‑party risk management framework, focusing on several specific areas. Risk managers should ensure their institutions are prepared for scrutiny in the following domains:

• Compliance of contractual arrangements with the DORA framework.
• Comprehensiveness of the institution's registers of information.
• Effectiveness of monitoring for key ICT subcontractors.
• Comprehensive consideration of the DORA CTPPs' oversight framework within the institution's own risk management processes.

Risk managers should treat this list as a direct checklist for conducting internal gap analyses of their existing third‑party risk management frameworks ahead of supervisory reviews.

2. EBA Measures for Cybersecurity and ICT Risk Management

Beyond the direct oversight of CTPPs, the EBA is implementing broader measures to analyze and respond to the evolving ICT threat landscape affecting the entire financial sector. This includes threats such as distributed denial‑of‑service (DDoS) attacks linked to geopolitical events and state‑sponsored cyberattacks designed to disrupt operations or undermine trust in the financial system.

2.1 Threat Analysis and Coordinated Incident Response

The EBA will perform analysis of major ICT incidents and cyber threats reported by financial entities. In collaboration with the other European Supervisory Authorities (ESAs), it will analyze the "ICT threat landscape" based on incident reports and contribute to the preparation of the ESAs Annual Report on ICT incidents.

Furthermore, the EBA will play a key role in the operationalization and maintenance of the pan‑European systemic cyber incident communication and coordination framework, known as EU‑SCICF. This framework is designed to facilitate a rapid and coordinated response among authorities in the event of a major, cross‑border cyber incident. Risk managers must review and align their internal incident response and communication plans with this pan‑European framework to ensure seamless coordination during a crisis.

2.2 Supervisory Expectations for Internal Cybersecurity Preparedness

Risk managers must prepare for direct supervisory assessment of their institution's internal cybersecurity preparedness. This means ensuring that internal frameworks, processes, and controls are robust and well‑documented. Key assessment criteria will include:

• The effectiveness of testing protocols and the sufficiency of ICT‑related incident management processes.
• The level of cyber risk awareness across the entire institution, from the front line to the boardroom.
• The degree of engagement by the management body in monitoring ICT risk.
• The magnitude of costs and losses resulting from ICT‑related incidents, which will be used as a key metric to assess the effectiveness of the institution's defenses.
• The thoroughness of the institution's ICT risk assessment covering all legacy ICT systems.

3. Supporting Frameworks and Future Outlook

The EBA's DORA‑related activities are supported by new technical infrastructure and a clear forward‑looking agenda, signaling a long‑term commitment to enhancing digital operational resilience.

3.1 New Technical and Data Infrastructure

To support these new supervisory and oversight functions, the EBA is deploying dedicated IT solutions. These include specific systems for DORA Designation of CTPPs/ Register of information and the Rollout of DORA Oversight systems for examination teams. Additionally, the EBA's EUCLID platform will be used for collecting new data sets from financial entities, including those newly brought under the EBA's perimeter as a result of DORA. Risk managers must ensure their data governance and reporting processes are prepared to supply these new, mandatory data sets accurately and efficiently.

3.2 What's on the Horizon?

The EBA's work in this area is ongoing. The deployment of Cybersecurity Frameworks and the Implementation of New Cybersecurity Regulation are planned throughout the year. Looking further ahead, the EBA has identified DORA non‑oversight topics, such as the supervisory response to incident reporting, as a potential subject for a peer review commencing in 2027. This indicates that regulatory scrutiny will continue to evolve, requiring constant vigilance and adaptation from risk management functions within financial institutions.