European Banking Authority Links DORA to Supervisory Reviews
The European Banking Authority is consulting on new Supervisory Review and Evaluation Process (SREP) Guidelines that explicitly reference the Digital Operational Resilience Act (DORA). The change mandates that banks integrate technology and operational resilience metrics into their core supervisory frameworks. This move elevates the strategic importance of SRE and platform functions within financial institutions, tying them directly to regulatory compliance.
- The Digital Operational Resilience Act (DORA) will be fully applicable to all financial entities in the EU starting January 17, 2025. - The revised SREP Guidelines, which will incorporate DORA requirements, are expected to apply from January 1, 2027, following a consultation period ending in early 2026. - This integration repeals the previous, separate guidelines for ICT risk assessment, folding them directly into the broader operational risk framework within SREP. - DORA is structured around five key pillars: ICT Risk Management, Incident Reporting, Digital Operational Resilience Testing, Third-Party Risk Management, and Information Sharing. - A key DORA requirement is mandatory threat-led penetration testing (TLPT) to be conducted at least every three years for larger financial institutions. - Under DORA, major ICT-related incidents will require an initial report to regulators within four hours of classification, an intermediate report within 72 hours, and a final report within one month. - The updated SREP methodology will take a more holistic approach, assessing how ICT risks impact the overall business model, internal governance, and risk management of a financial institution. - National competent authorities will have the power to impose fines for non-compliance, with Germany, for instance, enabling fines of up to €5 million.
