ECB Stress Test reveals banks need to strengthen cyber resilience
By Gloria Methri
The European Central Bank (ECB) has said there are areas for improvement in banks’ cyber defences after simulating an attack that would erase databases in their core systems.
The ECB’s cyber resilience stress test gauged how banks would respond to and recover from a severe but plausible cybersecurity incident. The test required banks to show they could activate their crisis response plans, including internal crisis management procedures.
Overall, the stress test showed that banks have response and recovery frameworks in place, “but areas for improvement remain.” The results helped increase banks’ awareness of the strengths and weaknesses of their cyber resilience frameworks.
The exercise was launched in January 2024 and featured a fictitious stress test scenario under which all preventive measures failed. A cyberattack severely affected the databases of each bank’s core systems. The stress test focused on the banks’ response and recovery from a cyberattack rather than on how they would prevent it.
The stress test involved 109 banks directly supervised by the ECB. All banks had to answer a questionnaire and submit documentation for the supervisors to analyse, while a sample of 28 banks was chosen to undergo more extensive testing. The latter were asked to perform an actual IT recovery test and provide evidence that it had been successful. In addition, supervisors visited them on-site. The sample covered different business models and geographical locations to reflect the wider euro area banking system and ensure sufficient coordination with other supervisory activities.
To test their response to the scenario, banks had to show their ability to:
- activate their crisis response plans, including internal crisis management procedures and business continuity plans;
- communicate with all external stakeholders, such as customers, service providers and law enforcement agents;
- run an analysis to identify what services would be affected and how;
- implement mitigation measures, including workarounds that would help the bank operate while the time needed to fully recover IT systems is spent.
To test their ability to recover from the scenario, banks had to show they could:
- activate their recovery plans, including restoring backed-up data and aligning with critical third-party service providers on how to respond to the incident;
- ensure that affected areas were recovered and up and running;
- implement lessons learnt, for example, by reviewing their response and recovery plans.
Detecting and addressing deficiencies in supervised banks’ operational resilience frameworks, including those stemming from cyber risks, is one of the ECB’s SSM supervisory priorities for 2024-2026. This reflects the recent surge in cyber incidents that supervised banks have reported to the ECB—an increase that partly stems from rising geopolitical tensions and challenges posed by the digitalisation of the banking sector.
The ECB further encourages banks to continue meeting supervisory expectations by ensuring they have adequate business continuity, communication and recovery plans, which should consider a wide enough range of cyber risk scenarios.
Banks should also be able to meet their own recovery objectives, properly assess dependencies on critical third-party ICT service providers, and adequately estimate direct and indirect losses from a cyberattack.
The exercise’s outcome will feed into the 2024 SREP, which assesses banks’ individual risk profiles. The cyber resilience stress test is not focused on banks’ capital, so its results will not affect banks’ Pillar 2 Guidance. Supervisors have provided individual feedback to each bank and will follow up accordingly. In some cases, banks have already improved or planned to remedy the shortcomings pinpointed during the exercise.
IBSi FinTech Journal

- Most trusted FinTech journal since 1991
- Digital monthly issue
- 60+ pages of research, analysis, interviews, opinions, and rankings
- Global coverage
Other Related News
February 11, 2025
Safer Internet Day 2025: Why RBI’s latest security moves matter for every Indian
Read MoreRelated Reports

Sales League Table Report 2024
Know More
Global Digital Banking Vendor & Landscape Report Q4 2024
Know More
NextGen WealthTech: The Trends To Shape The Future Q4 2023
Know More
IBSi Spectrum Report: Supply Chain Finance Platforms Q4 2023
Know More