Understanding the ‘post-DORA’ IT Risk Questionnaire

The revised ‘post-DORA’ IT Risk Questionnaire is probing weaknesses in banks’ ICT risk management.

The IT Risk Questionnaire (ITRQ), a yearly data collection exercise for Significant Institutions under direct ECB supervision, is an important part of the SREP and serves as a screening tool for setting supervisory priorities. Supervisors use the results to determine and plan relevant ICT-related on-site inspections.

Following a major revision, the ITRQ is now fully aligned with DORA, the EU framework for strengthening cyber and ICT resilience in financial institutions. This alignment has significantly raised supervisory expectations, particularly in areas related to ICT governance, operational resilience, and third-party risk management.

To better understand the ‘post-DORA’ ITRQ, we held discussions with a diverse group of banks across Europe. Our conversations indicate that banks tend to assess themselves more critically in areas where DORA has most materially increased expectations, notably ICT third-party management and ICT continuity management. Several consistent themes emerged:

Initial insights from the first DORA on-site inspections provide an early indication of what banks can expect from post-ITRQ follow-ups by Joint Supervisory Teams. Key areas of supervisory focus include the identification of Critical or Important Functions (CIFs), the effectiveness of ICT controls, and ICT third-party risk management. Common findings relate to shortcomings in business impact analyses, insufficient linkage between ICT vulnerabilities and protection requirements, deficiencies not being systematically reflected in risk management, weaknesses in methodologies for assessing critical service providers, and overly generic or untested exit strategies.

These findings must be viewed against a broader shift in the EU supervisory framework for ICT third-party risk. The publication of the list of Critical ICT Third-Party Service Providers significantly raises expectations for banks, as reliance on these providers will be subject to enhanced governance, contractual, and exit requirements. Their direct supervision by the European Supervisory Authorities (EBA, EIOPA and ESMA — the ESAs) marks a fundamental change in how digital resilience is addressed in the financial sector. For the first time, major technology providers that are critical to a large number of financial institutions are subject to harmonised, EU-level oversight, strengthening the management of systemic ICT risks and concentration dependencies.

To strengthen DORA implementation and address the weaknesses highlighted by the revised ITRQ and early supervisory findings, we believe that many banks would benefit from:

1. Review whether capacity and ICT risk expertise in second and third line functions are sufficient to support effective and independent oversight under DORA.
2. Ensure CIFs are fully identified and consistently reflected in complete ICT asset and dependency inventories.
3. Strengthening third-party risk management, ensuring clear service level agreements and contractual clauses, close monitoring, and full lifecycle control.
4. Aligning and testing continuity plans for CIFs outsourced to ICT service providers.
5. Systematically integrate ITRQ results and supervisory findings into ICT risk management and remediation processes.

The ECB’s use of the ITRQ, together with its broader approach to verifying compliance with DORA, continues to evolve. Operational resilience and ICT capability are firmly embedded in the ECB’s supervisory priorities, with on-site inspections expected to play an increasingly important role in 2026-2028 in assessing cybersecurity management and ICT third-party risk.

Against this backdrop, banks that proactively address the weaknesses identified through the ITRQ and early supervisory findings will be better positioned to meet rising supervisory expectations and to mitigate the risk of adverse supervisory follow-up actions under the DORA framework.