The ongoing digitalization of the financial sector has significantly increased dependence on information and communication technologies (ICT) and specialist ICT third-party providers. At the same time, cyberattacks, operational disruptions and concentration risks are increasing. Digital operational resilience has therefore become a key stability factor for institutions and the European financial market. The Digital Operational Resilience Act (DORA) is the first uniform European framework for managing ICT, cyber and third-party ICT risks. At the same time, European banking supervision is tightening its expectations in terms of governance, risk management and the effectiveness of internal controls. Digital resilience is no longer seen as a purely technical issue, but as an integral part of overall bank management. The European Central Bank’s (ECB) IT Risk Questionnaire (ITRQ) acts as an early warning tool and starting point for targeted supervisory reviews.
DORA and the new regulatory expectations
DORA has been mandatory for financial institutions since January 2025. The regulation creates a uniform framework for strengthening digital operational resilience and specifies the requirements for governance, ICT risk management, the management of ICT third-parties, resilience testing and the management of ICT-related incidents.
The regulations are in line with the ECB’s supervisory priorities for 2026 to 2028 , which address the development of robust and resilient operational risk management frameworks as a prioritized vulnerability. The focus is particularly on cyber risks and ICT third-party risks, including the management of concentration and dependency risks. Although the direct supervision of critical ICT third-party providers at EU level introduced as part of DORA strengthens the control of systemic risks, it does not relieve institutions of their responsibility for outsourced activities. The decisive factor is therefore not the existence of concepts, but proof of effective governance, clear responsibilities and resilient risk management in operations.
The ECB’s IT Risk Questionnaire as a supervisory tool
The IT Risk Questionnaire (ITRQ) is an annual, standardized survey instrument of the ECB as part of the Supervisory Review and Evaluation Process (SREP). It is used for the uniform assessment of ICT risks and the effectiveness of the associated governance, management and control mechanisms of significant institutions and forms a basis for supervisory measures. Current SREP results show that the management of operational ICT risks in particular remains challenging and has gained additional complexity as a result of DORA.
Discussions with European banks show that they rate the maturity level of their ICT risk management as low, particularly in those areas in which DORA has raised expectations. This applies in particular to the management of ICT third-parties and ICT business continuity management. Despite a high proportion of ICT and cloud outsourcing, banks see considerable room for improvement, particularly in ongoing monitoring and in exiting contractual agreements with ICT service providers. The involvement of service providers in the planning and implementation of ICT business continuity tests is also perceived as a significant weakness. In addition, incomplete inventories of processes, ICT assets and ICT service providers and an imbalance in the distribution of resources between the three lines of defense can impair the effective management of resilience and concentration risks. Overall, the results show that the ITRQ is specifically used in the context of DORA as an instrument to assess the maturity of digital operational resilience.
Initial findings from DORA audits
DORA audits initially began with a focus on small and medium-sized institutions by national supervisory authorities and were extended to larger banks and banks directly supervised by the ECB in mid-2025. DORA clearly shifts the audit focus to digital operational resilience. Audits are more granular, more effectiveness-oriented and institution-specific, which leads to more in-depth test requirements and more differentiated findings.
The audit results to date show recurring weaknesses. There is often a lack of a clearly defined strategy for digital operational resilience with measurable targets and risk tolerances that is supported by the management body. Critical or important functions are not always fully identified or consistently linked to process and asset inventories, and security measures are sometimes not sufficiently risk-based or regularly reviewed. There are also deficits in ICT third-party risk management, particularly in the consideration of institution-specific requirements in risk assessments, contracts and ongoing monitoring. In addition, exit strategies and the involvement of third-party ICT providers in resilience and going concern tests are often not yet sufficiently mature.
Against this backdrop, the ECB has announced two on-site inspection campaigns on cyber and third-party risks as well as in-depth cloud reviews as part of its supervisory priorities for the period 2026 to 2028.
Recommendations for action and next steps
Institutions should systematically identify existing gaps in DORA compliance and close them through prioritized action plans. This requires consistent governance with clear responsibilities, adequate resources in the monitoring and control functions and active involvement of the management body in the management of ICT and third-party risks. Up-to-date, consistent and risk-oriented inventories of business processes, ICT assets and third-parties as well as a robust methodology for identifying critical or important functions form the central basis for this.
ICT third-party risk management continues to show deficiencies, especially in reflecting institution-specific requirements in risk assessments, contractual arrangements and ongoing monitoring, as well as in exit strategies and the involvement of ICT providers in resilience and business continuity testing. Security and resilience measures must be effectively implemented, reviewed and monitored, with ICT service providers being consistently involved end-to-end. Sustainable digital resilience requires integrated management, regular testing, reliable data quality and the close integration of ICT and operational risk management.
Conclusion
Experience to date with DORA, the IT Risk Questionnaire and the first independent DORA audits clearly shows that supervisory practice has changed permanently.
Digital resilience is no longer viewed in isolation as an IT or compliance issue, but as a central component of overall bank management that encompasses governance, processes, technology and third-parties in equal measure. The decisive factor is not the formal fulfillment of regulatory requirements, but the reliable proof of their effectiveness in operations. For institutions, this means that DORA should not be seen as a temporary implementation project. A permanent, integrated management approach is expected. The IT Risk Questionnaire is a key supervisory tool here, as identified weaknesses in the self-assessment can increasingly lead to in-depth audits.
Institutions that strengthen their governance early on and embed operational resilience holistically improve their supervisory position and long-term resilience.