The tests saw 109 supervised banks face a hypothetical scenario in which a cyberattack succeeded in disrupting their critical IT infrastructure. Of these, 28 banks underwent an enhanced assessment for which they will submit additional information on how they coped with the cyberattack.

The stress test scenario saw all preventive measures fail and a cyberattack severely affect the databases of each bank’s core systems. This meant that the focus was on how banks would respond to and recover from a cyberattack, rather than on how they would prevent it.

In a blog, ECB supervisor Anneli Tuominen says the results show that "while banks do have high-level response and recovery frameworks in place, there is still room for improvement. Banks need to ensure that their recovery capabilities are sufficient to handle worst-case scenarios and that they can meet their recovery objectives to protect customer assets and customer data, maintain confidence in the banking system and, ultimately, safeguard financial stability."

The programme was announced early this year amid growing tensions with Russia and demonstrate the concern among supervisory authorities of the potential for disruption and financial instability from a major cyber attack on the banking sector, which is increasingly reliant on digital technology to maintain operations.

Tuominen also notes the recent Crowdstrike outage, writing that "given the interconnected nature of today’s banking networks, an incident in one institution can have cascading effects across multiple sectors".

The ECB says banks should continue investing in their cyber resilience and that similar exercises could follow.

The Bank also says the forthcoming application of the Digital Operational Resilience Act in January will provide a robust framework that will require banks to step up their efforts to foster a culture of continuous cyber risk management.