ECB to subject banks to new cyberattack resilience test in 2026
In addition to testing the operational resilience of the banking network, the ECB will look at information collection procedures to find flaws that prevent the detection of financial risks, promising action for institutions that are not in compliance.
The European Central Bank (ECB) will extend stress testing of European banks' information systems to other institutions, taking a further step towards strengthening their robustness against cyberattacks or failures in critical infrastructure.
In a speech in Frankfurt on Tuesday, Patrick Montagner, member of the ECB Supervisory Board, highlighted the importance of efficient and secure data management systems in order to protect the banking and financial system not only from external threats (both cyber and extreme natural events that could affect the infrastructure linked to information management), but also from less favorable indicators.
Montagner stressed that if a “vital banking system suddenly goes down,” whether it’s because a “data center goes offline at 3 a.m. or floods destroy a bank’s critical infrastructure,” the financial network needs to have a contingency and recovery plan, which is essential to maintaining people’s trust.
In line with the Digital Operational Resilience Act (DORA) and the principles for reporting risks in data collection (RDARR), the tests on the digital robustness of the financial system will be extended to other European institutions, such as the European Banking Authority (EBA) and the Single Resolution Board (SRB).
In 2023 and 2024, the ECB has already conducted tests focused on the resilience of regulators — i.e. the ECB itself and national central banks — and national banks. In the first half of last year, 109 institutions underwent such tests, with 28 including “more extensive” tests.
In addition to the issue of cybersecurity and resistance to possible attacks or anomalies, the institution led by Christine Lagarde also wants to assess the transparency of the information systems of the European banking and financial network, warning that it will impose measures to force banks to adopt its recommendations.
“If a bank’s data collection procedures make it harder for regulators to get a full picture of its risks, we will impose measures to ensure that the bank takes immediate action,” Montagner said, pointing to existing flaws. “We have to face the reality: many banks continue to use legacy systems that, while functional, can pose risks to their operational resilience.”
jornaleconomico
