How cyber, ICT, and fraud threats have become the central focus of operational risk management in European banking
Introduction
European banks have entered a new era of operational risk exposure — one dominated not by rogue traders or faulty models, but by invisible adversaries in cyberspace. As digitalisation accelerates and financial institutions migrate core processes to the cloud,
operational resilience has become the defining risk management challenge of the decade.
The European Banking Authority (EBA) now consistently identifies cyber and ICT
(Information and Communication Technology systems) risk as the
most critical operational risk facing the banking sector. Rising losses, growing dependence on external technology providers, and an intensifying threat environment underscore the urgency of this challenge. At the same time, fraud, conduct
risk, and third-party dependency are converging with cyber threats, amplifying both the frequency and severity of operational disruptions.
This article examines why cyber and ICT risks now sit at the top of the operational risk agenda in Europe, explores secondary but interconnected risk drivers, and highlights the strategic implications for risk professionals and bank executives.
1. The Rise of Cyber and ICT Risk
Over the past decade, operational risk in banking has evolved from internal control failures to
technology-driven vulnerabilities. According to the EBA’s 2025 reports on operational risks and resilience, cyber and data-security risks “continue to be by far the most prominent drivers of operational risk for banks,” with ICT failures and
outages ranking close behind.
The data are stark: European banks reported losses exceeding EUR 6.5 billion in 2024 linked to new IT and cyber events — more than double the previous year’s figure of EUR 2.8 billion. These incidents range from ransomware attacks and data
breaches to prolonged system outages in outsourced cloud environments.
What makes cyber and ICT risks so critical is not only their financial impact
but also their potential for systemic disruption. A major cyberattack can simultaneously impair multiple banks or payment systems, undermining confidence and liquidity in the wider financial ecosystem.
2. Why Cyber Risk Now Dominates Operational Risk Agendas
a. The Digitalisation of Banking Operations
The European banking model has become increasingly digital and interconnected. Cloud migration, open-banking APIs, and digital payment ecosystems have delivered efficiency and customer reach — but also created
expanded attack surfaces. Each new integration point introduces potential vulnerabilities that adversaries can exploit.
b. Rising Sophistication of Threat Actors
Cyber threats are no longer limited to small-scale data theft. Today’s attacks often involve
state-sponsored or highly organised criminal groups, capable of orchestrating complex, multi-vector assaults on critical systems. This evolution has blurred the line between financial crime, geopolitical risk, and operational resilience.
c. Systemic Implications and Regulatory Scrutiny
Regulators across Europe now view ICT disruption as a systemic threat. The EBA and national authorities have made cyber resilience a top supervisory priority, demanding robust incident-response frameworks, third-party monitoring, and real-time
risk reporting. The forthcoming Digital Operational Resilience Act (DORA) will formalise these expectations, requiring firms to prove they can prevent, withstand, and recover from ICT disruptions.
3. The Expanding Circle of Operational Risk Drivers
While cyber and ICT risks dominate, several interconnected risk categories are rapidly gaining significance:
a. Fraud and Payment-Fraud
Fraud has surged alongside digital banking. The EBA’s 2025 Risk Assessment Report shows that
52% of banks now cite fraud as a major operational risk, up from 33% in 2023.
The main fraud drivers include:
- Theft of customer credentials and social engineering (reported by 60% of respondents)
- Online and cyber-enabled fraud (53%)
- Payment fraud targeting both retail and corporate clients (53%)
As banks tighten security, attackers increasingly exploit the human element — persuading customers or employees to bypass controls through psychological manipulation.
b. Conduct, Legal, and Reputational Risk
Despite new digital frontiers, traditional operational risks persist. Mis-selling scandals, data-protection breaches, and litigation exposures remain significant, with
46% of European banks ranking conduct and legal risk among their top operational concerns. The reputational impact of a cyber or fraud event can also amplify these losses.
c. Outsourcing and Third-Party Risk
The modern banking ecosystem relies heavily on external ICT providers — from core banking infrastructure to cloud and payment services. While outsourcing can enhance efficiency, it introduces concentration risk and dependency on entities
outside direct regulatory control. The EBA has repeatedly warned that poor oversight of third-party providers can lead to cascading failures during major ICT incidents.
4. Building Cyber-Resilient Operational Risk Frameworks
In this new risk environment, operational risk management must evolve beyond compliance checklists. Cyber and ICT risk requires a
dynamic, integrated approach combining technology, governance, and culture. Key focus areas include:
a. Strengthening Cyber-Resilience
Banks must invest in incident-response planning, penetration testing, and
threat-hunting capabilities. This includes ensuring robust backup systems, business continuity planning, and disaster-recovery arrangements for critical ICT functions.
b. Enhancing Data Security and Access Controls
Identity and access management are fundamental. Strong authentication mechanisms, behavioural monitoring, and insider-threat detection help mitigate credential theft and internal misuse.
c. Integrating ICT Risk into Operational Risk Frameworks
Cyber-related losses should feed directly into capital modelling and scenario analysis. Boards must receive clear, quantitative insights into potential ICT risk exposures and resilience gaps.
d. Managing Fraud Linkages
Cyber incidents frequently serve as gateways to fraud. Risk teams should align cyber-security controls with anti-fraud measures, using behavioural analytics and real-time transaction monitoring to detect anomalies.
e. Governance and Culture
Cyber resilience begins with leadership. Boards and senior executives must champion a
culture of digital risk awareness, ensuring ownership and accountability across all business units. Reporting lines should clearly define responsibilities for ICT risk oversight.
f. Regulatory Readiness
With DORA and related regulatory frameworks coming into force, banks must demonstrate their ability to
withstand prolonged ICT disruptions and manage third-party dependencies effectively. Supervisors expect proactive testing, stress scenarios, and transparent remediation plans.
5. The Emerging Frontier: AI, Cloud, and Beyond
The risk horizon is shifting again. Artificial intelligence (AI) and machine learning are transforming risk management but also introducing new exposures — from data-integrity issues to algorithmic bias and model risk. As banks deploy AI in decision-making
and fraud detection, governance structures must adapt to ensure transparency and accountability.
Similarly, cloud concentration risk is becoming a systemic concern. A disruption at a major cloud provider could paralyse multiple banks simultaneously. Regulators are therefore pressing for
multi-cloud strategies, independent recovery capabilities, and stronger contractual safeguards with critical service providers.
Conclusion: Operational Resilience as Strategic Imperative
The European banking sector is confronting a profound shift in the nature of operational risk. Cyber and ICT threats are no longer isolated technical issues — they are strategic risks that define a bank’s ability to maintain trust, service continuity, and
regulatory compliance.
Fraud, conduct, and outsourcing risks reinforce this pressure, demanding an integrated approach that spans technology, governance, and human behaviour.
For operational risk professionals, the message is clear: resilience is the new capital. Protecting against cyber and ICT failures is not only about avoiding losses — it is about ensuring the stability of Europe’s financial system in a digital
age.
