ECB video sparks API alarm

A widely shared YouTube video is warning banks they have “only three weeks” to fix an ECB-linked API problem, but the formal deadline in the European Union rulebook sits with DORA reporting and supervisory collection, not with a public ECB countdown video. (youtube.com) (esma.europa.eu) The rule at the center of the scramble is the Digital Operational Resilience Act, or DORA, an EU law that took effect on January 17, 2025 and requires financial firms to keep a detailed register of their contracts with information and communication technology providers. (esma.europa.eu) (eba.europa.eu) European Supervisory Authorities said the first submission of those registers to them was due by April 30, 2025, with national supervisors free to demand the files from firms earlier on their own timetables. (esma.europa.eu) (eba.europa.eu) An application programming interface, or API, is the software doorway one system uses to exchange data with another, and under DORA those connections matter when they sit inside outsourced technology services, cloud setups, payment systems, or security tooling. (eba.europa.eu) (bankingsupervision.europa.eu) That is why bank teams are checking more than code. They are matching APIs to vendors, contracts, critical services, and evidence files that supervisors can review if a connection supports an important banking function. (eba.europa.eu 1) (eba.europa.eu 2) The European Central Bank has separately spent the past two years pressing banks on operational resilience, cloud outsourcing, and cyber controls. It said third-party risk management remained high on its supervisory priorities for 2024 through 2026 and later finalized a guide on cloud outsourcing in July 2025. (bankingsupervision.europa.eu 1) (bankingsupervision.europa.eu 2) ECB officials have also tied that work directly to DORA. In a March 24, 2026 interview, Supervisory Board member Anneli Tuominen said the regulation had been in force since January 2025 and pointed to ECB reviews, inspections, and cyber stress work aimed at banks’ digital resilience. (bankingsupervision.europa.eu) The data-quality problem is real even if the viral framing is loose. The European Supervisory Authorities said in December 2024 that a dry run on DORA registers found lessons still needed before live reporting, and the Banking Authority updated its reporting FAQ again on March 19, 2025. (esma.europa.eu) (eba.europa.eu) Banks are also dealing with a second ECB track on testing. The Eurosystem updated the TIBER-EU cyber testing framework on February 11, 2025 to align it with DORA rules on threat-led penetration testing, which are separate from register reporting but part of the same resilience push. (ecb.europa.eu 1) (ecb.europa.eu 2) So the immediate question for banks is not whether a YouTube warning is official. It is whether every API tied to an outside provider is mapped to a contract, a business service, and a supervisor-ready record before the next request lands. (youtube.com) (eba.europa.eu)