The European Central Bank (ECB) launched its qualitative cyber resilience stress test (CyRST) last month, assessing how 109 major euro area banks would withstand a severe cyberattack and marking a turning point for the sector’s digital defences.

The exercise focused on the “supervisory scrutiny channel”, examining banks’ ability to maintain operations and recover systems rather than imposing direct capital requirements.

The results showed that the CyRST triggered a surge in cybersecurity investment, with overall spending across the sector rising by an average of 45 per cent.

The most significant increases were recorded among “laggard banks”, defined as institutions that had previously underinvested relative to their risk exposure and financial fundamentals.

These banks increased their cybersecurity spending by an average of 81 per cent, reflecting a rapid effort to address structural vulnerabilities.

The findings indicate that heightened supervisory scrutiny alone can alter behaviour, even in the absence of financial penalties or public disclosure of results.

A key outcome of the test was a shift away from outsourcing critical IT functions, signalling a move towards greater internal control over cybersecurity systems.

Payments to external third-party providers fell by approximately 50.1 per cent, highlighting reduced reliance on outsourced services.

At the same time, spending on internal group services increased by 23.9 per cent, suggesting banks are strengthening in-house capabilities.

The number of critical end-of-life IT systems declined by 41.2 per cent, reducing exposure to outdated infrastructure often targeted by cyberattacks.

The ECB’s approach also addressed the “public good” problem in cybersecurity, where institutions may underinvest because the benefits extend beyond their own operations.

By increasing the perceived cost of underinvestment through supervisory attention, the ECB reduced incentives for free-riding behaviour across the financial system.

This led to positive spillover effects, as stronger defences in weaker institutions reduced systemic risk and the likelihood of contagion.

The impact of the CyRST extended beyond technology to include operational and organisational improvements within banks.

Staff turnover in first-line operational roles declined by 20.5 per cent, helping preserve institutional expertise and continuity.

Banks also optimised their cyber-insurance strategies, lowering deductibles to improve coverage in the event of incidents.

Although the frequency of cyber incidents declined modestly, the financial severity of attacks dropped significantly following the supervisory intervention.

The analysis shows that investment increases were concentrated among banks facing more intense oversight, including those subject to on-site inspections and detailed supervisory findings.

In contrast, institutions exposed to lower levels of scrutiny showed no significant change in behaviour, reinforcing the importance of targeted supervisory engagement.

The study highlights that the CyRST acted as a coordinating signal, aligning investment decisions across the sector and accelerating improvements in cyber resilience.

Importantly, the exercise excluded traditional regulatory levers, such as capital add-ons under Pillar 2 requirements and public disclosure of individual results.

This allowed the ECB to isolate the effect of scrutiny as a regulatory tool, demonstrating its capacity to influence bank behaviour independently.

The findings suggest that qualitative stress testing can complement traditional regulation, particularly in areas such as cyber risk where threats evolve rapidly.

They also underline the role of supervisory validation processes, including data-quality checks and detailed feedback, in driving institutional change.

The ECB’s approach shows that soft-power regulation can be highly effective, strengthening resilience without imposing immediate financial burdens.

As cyber threats continue to grow in scale and complexity, the CyRST provides a potential blueprint for other sectors facing similar coordination challenges.

The results reinforce the importance of aligning individual incentives with system-wide stability, ensuring that cybersecurity investment reflects both private and collective risks.

Ultimately, the ECB’s initiative demonstrates that targeted oversight can close investment gaps, enhance financial stability, and safeguard the digital infrastructure of the euro area.