Cyber and digital operational resilience
Cyber and digital operational resilience
Context
Digitalisation and new technologies are transforming financial value chains, with both a growing use of digital solutions within financial institutions and an increasing role of information and communication technology (ICT) third-party providers, such as cloud service providers. These developments contribute to greater efficiency and enhanced services, but also increase the exposure of the financial sector to ICT risks, including cyber-attacks and system failures, while creating new dependency and concentration risks.
The Digital Operational Resilience Act (DORA), which establishes a harmonised framework for digital operational resilience across the EU financial sector, has been in application since January 2025. It sets out comprehensive requirements covering ICT risk management, incident reporting, digital operational resilience testing and the management of third-party ICT risk. DORA also introduces an EU-level oversight framework for critical ICT third-party providers (CTPPs), aimed at addressing concentration risks and strengthening the resilience of the financial system. While the core framework is now in place and the process for designating CTPPs is underway, further work is ongoing to operationalise their oversight and ensure its effective implementation.
The revised Network and Information Systems Directive (NIS2), which aims to strengthen and harmonise cybersecurity requirements across the EU, complements DORA by establishing broader cross-sectoral obligations on cybersecurity risk management, incident reporting and information sharing, while the European Supervisory Authorities (ESAs) and the ECB/SSM are strengthening supervisory convergence and focus on cyber resilience through standards, cyber stress tests, thematic reviews and supervisory expectations.
Enhancing cyber and operational resilience is also a priority at the international level. The FSB, BIS and IOSCO have developed principles and recommendations covering cyber incident reporting, third-party and outsourcing risk, and the resilience of financial market infrastructures, including the FSB recommendations on cyber incident reporting (2023) and the CPMI-IOSCO guidance on cyber resilience. This work is being further refined through recent initiatives, including the FSB recommendations on cyber incident reporting (2023), its work on third-party risk management, and the development of a common global reporting format for operational incidents.
Eurofi documents
Extracted from the main Eurofi publications (Regulatory Updates, Views Magazines and Conference Summaries)
Regulatory Update
Eurofi policy notes
Summary
Session Summaries
Filter
Views The Eurofi Magazine
Eurofi Views Magazine chapters
Filter
-
Cyber-resilience first lessons from DORA September 2025
Cybersecurity and digital operational resilience April 2025
Open Finance and FiDA next steps April 2025
Cybersecurity and digital operational resilience September 2024
Cyber and digital operational resilience February 2024
Cyber and digital operational resilience September 2023
Digital operational and cyber-resilience April 2023
Key contributions
Speeches & interviewsFilter
-
Enhancing supervision : challenges and opportunities for the EU September 2025
Martin Moloney - Deputy Secretary General, Financial Stability Board
-
Conversation with Marianne Demarchi September 2025
Marianne Demarchi - Chief Executive EMEA, Swift
-
Cloud & AI in finance: regulatory evolution and AWS’s role in digital transformation September 2025
Mark Jopling - Head of Global Financial Services, EMEA & APAC - Amazon Web Services (AWS)
-
Cyber-resilience in the age of artificial intelligence April 2025
CHRIS BETZ - Chief Information Security Officer - Amazon Web Services
-
Conversation with Mark Jopling - Head of Global Financial Services, EMEA and APJ, AWS September 2024
Mark Jopling - Head of Global Financial Services, EMEA and APJ, AWS