Frankfurt am Main, 2 July 2025

It is a privilege to join you today to discuss the need for resilient and reliable information and communications technology (ICT).

Let me begin with a simple but crucial question: what happens when a core banking system suddenly fails?

Imagine a data centre going offline at 3 o’clock in the morning, or regional floods destroying a bank’s critical infrastructure. In those moments, delays can have a ripple effect. Payments stall. Decisions have to be taken based on incomplete data. A lack of confidence in one bank can quickly erode trust in the entire system.

At a time when customers expect banking services to function flawlessly and constantly, on any device, technology is no longer confined to the back office; it has become the backbone of everything we do. But true ICT resilience in banking goes beyond simply defending against cyber threats. It has, in my view, two inseparable elements at its core: safety and security. Safety ensures that ICT systems can operate reliably and continuously – and that the data they produce are reliable and continuously available. Security strengthens cyber defences against evolving threats and safeguards data integrity. These are not separate concerns – for financial stability, they are two sides of the same coin.

At the ECB, we remain firmly committed to ensuring that banks meet these heightened expectations. We have adapted our supervisory approach to the evolving regulatory landscape, including the Digital Operational Resilience Act (DORA) and the Basel Committee on Banking Supervision’s principles for both operational resilience and risk data aggregation and risk reporting (RDARR), reflecting this commitment to comprehensive resilience.

Today, I would like to explore these two critical elements of ICT resilience – safety and security – and their profound implications for the future of the banking sector.

When I talk about “safety”, I am not only referring to situations in which systems run smoothly, unaffected by outages and disruptions. I am also referring to an environment in which any kind of unforeseen event could occur – be it a sudden hardware failure, a natural disaster or simple human error – yet customers and supervisors alike can have complete trust in the availability of critical banking services and the integrity of the data on which those services depend. A single failure in a payment system or the inability to aggregate accurate risk exposures in real time is not just an operational hiccup; it is a potential threat to confidence and, ultimately, to financial stability. And that’s precisely why business continuity is a key regulatory requirement and one of our core supervisory priorities.

To prevent scenarios like the one I described in my introduction, banks need to develop comprehensive recovery strategies, maintain robust backup systems and regularly test their recovery processes. The goal is not perfection but resilience: the ability to absorb shocks, to adapt and to continue operating when faced with the unexpected.

But resilience is about more than keeping servers online – it is also about data reliability. In times of stress, whether caused by market volatility, unexpected credit events or more widespread disruption to operations, the boards and senior management of banks – and their supervisors – rely on precise, timely and comprehensive risk data. If a bank cannot aggregate credit exposures across regions or quickly reconcile trading book positions, it may fail to detect a mounting problem before it is too late. Banks therefore need to invest in modern data architecture that consolidates disparate data feeds into a single, coherent platform. Automated reconciliation checks should run constantly to detect anomalies, for example an incomplete data feed from a remote branch. Standardised data taxonomies are critical, so that when a bank’s board, management or supervisors request a comprehensive overview of liquidity exposures or credit concentrations, the bank can respond confidently in near real time.

This emphasis on safety cannot rely on IT systems and technology alone. Governance and accountability must underpin every technological investment. The ECB’s supervisory approach sets out clear expectations for boards and senior executives: ICT risk and operational resilience must be governed at the highest level. We expect the boards of banks, and not just their audit or risk committees, to take direct ownership of resilience strategies, define a risk appetite for IT disruptions and request quantifiable metrics for system availability and data accuracy. When material weaknesses arise, such as an inability to produce consolidated risk reports within set time frames, the ECB can require prompt remediation plans with milestones, deadlines and dedicated resources. In recent discussions about the escalation of RDARR-related shortcomings, which we also highlighted in our supervisory priorities for 2025-27^[1], we have made clear that persistent gaps will not be tolerated: if a bank’s data aggregation framework could make it more difficult for supervisors to have a clear view of the bank’s risks, we will impose measures to ensure the bank takes immediate action.

Additionally, we must confront a challenging reality: many banks continue to use legacy systems that, while functional, can pose inherent risks to operational resilience. These systems often lack the flexibility, scalability and integration capabilities required in today’s fast-changing environment. Banks need to address these legacy system risks through strategic investment in modern, resilient infrastructure.

While safety ensures that core operations can continue without interruption, security serves as a shield, protecting those operations and the data that underpin them from a relentlessly evolving threat environment. In recent years, several trends have made it crystal clear that strengthening security is an urgent task. Ransomware attacks have grown more sophisticated and targeted, and state-sponsored activities pose persistent, complex threats that require constant vigilance. These evolving threats demand more advanced threat detection and response and recovery capabilities. Continuous vigilance and adaptation are not just good practices – they are clear supervisory expectations. Banks must invest in technologies and expertise that enable them to stay ahead of threat actors who are themselves constantly developing and improving their methods.

Furthermore, recent warnings from major financial institutions have also highlighted concerns about some of the operational and dependency risks posed by “software as a service” models and complex third-party dependencies.

While cloud solutions, particularly those offered by major technology providers, generally have robust security measures, our primary concern is managing third-party dependencies and mitigating the risk of getting locked in to a single provider. The challenge is not the inherent security of these platforms but rather the operational dependencies they create.

Banks must carefully balance the flexibility and efficiency that cloud services provide with the need to maintain operational independence and avoid excessive concentration risk. The pursuit of rapid feature development and operational efficiency cannot come at the expense of managing third-party dependencies effectively.

Consider the scenario recently described by one global systemically important bank: an AI-driven calendar tool using authentication tokens to access a firm’s email system. While this improves productivity, integration patterns like this one create operational dependencies that, if disrupted, could have a significant impact on business operations beyond the immediate security concerns.

As banks are increasingly relying on external service providers, they must develop robust strategies for managing these relationships, including clear exit strategies, data portability requirements and contingency plans for service disruptions. But the integration patterns I just mentioned collapse authentication and authorisation procedures into overly simplified interactions, creating both security vulnerabilities and operational dependencies that undermine the fundamental principles of operational resilience.

Faced with this reality, banks must embed security in their processes by design, and they should do so as a matter of course. The ECB’s supervisory expectations under DORA leave no room for complacency. DORA aims to achieve a high common level of digital operational resilience across European financial entities. It is a significant step forwards in harmonising and strengthening the regulatory approach to ICT resilience across the EU. DORA will strengthen the incident reporting framework for banks, make them better prepared to deal with cyberattacks and, last but not least, enable supervisors to keep a closer eye on third-party risks.

The ECB, in collaboration with national authorities and the European Supervisory Authorities, plays a crucial role in DORA’s implementation, and our expectations are clear: banks must demonstrate not just compliance but genuine resilience. This means moving beyond box-ticking exercises to develop truly robust capabilities for managing digital operational risks.

I should also add that supervisors are working to enhance their own operational resilience. In 2023 and 2024 we conducted successful dry runs to test whether the ECB and several national competent authorities were sufficiently prepared for system-wide cyber incidents affecting both the authorities and banks. Building on this experience, we plan to repeat the exercise in 2026 and include other EU authorities, like the European Banking Authority and the Single Resolution Board, to further enhance our collective operational resilience and coordination capabilities. Additionally, our work as part of the G7 Cyber Expert Group remains a crucial aspect of our strategy to ensure we collectively have robust cybersecurity incident management and crisis frameworks in place.

To sum up, when faced with a crisis, banks must be resilient. Systems must recover swiftly. And services must continue, uninterrupted, for the millions of people who depend on them. On top of this, of course, banks must have a crisis communication plan in place to clearly explain what will happen next and to set out the recovery timeline.

Safety and security are two mutually reinforcing aspects of a single goal – ensuring that our financial system remains trustworthy, available and resilient, even in the face of unforeseen shocks. Safety ensures that, when hardware fails for any reason, banking services continue without interruption and data remain reliable. And security ensures that, when sophisticated enemies strike, banks’ defences hold firm.

The ECB stands ready to guide and support banks on this journey. By implementing DORA, applying the RDARR principles and maintaining our ongoing dialogue with banks, we will continue to raise the bar. Yet ultimately, true resilience can only emerge from within the banks themselves. Boards must champion a culture of resilience. Senior executives must allocate resources to modernising legacy systems and hardening cyber defences. And every employee must recognise that their daily decisions, whether in coding or risk analysis, play a part in safeguarding the broader financial ecosystem.

Let me be clear about what this means in practical terms: banking has fundamentally become an IT business. This means that substantial, regular and well-managed investments in technology infrastructure are essential. These investments are not merely operational costs – they are the foundation of renewed competitiveness. Banks that understand this and act decisively will not only meet regulatory requirements but will position themselves as competitive leaders that are ready to meet customers’ expectations.

To close, I invite you to reflect on the scenario we began with. It’s 3 o’clock in the morning. A core banking system suddenly goes offline. A data centre has failed, or perhaps a regional flood has taken out critical infrastructure.

In that moment, the question isn’t if disruption will occur. It’s how prepared we are to respond.

And the answer must be: we are ready.

Thank you very much.