General Information
Type of contract
Fixed-term contract which may be converted into a permanent contract after three years subject to individual performance and organisational needs
Who can apply?
EU nationals
Salary
F/G (bracket 1 - step 1) full time monthly net salary: €5,743 plus benefits, for further information see
what we offer.
Role specialisation
IT Risk and Cyber Security
Working time
Full time
Place of work
Frankfurt am Main, Germany
Closing date
26.05.2025
Your team
Background: what is DORA?
Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA), which became applicable in January 2025, establishes a comprehensive framework for fostering the digital operational resilience of all EU financial entities. It provides that third-party information and communication technology (ICT) service providers who provide financial entities with services identified as critical (critical third-party providers – CTPPs) will be subject to oversight at EU level to minimise the risks to which they expose the EU financial sector. In practice, this oversight will be carried out by a “Lead Overseer”, which will be one of the three European Supervisory Authorities (ESAs), i.e. the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) or the European Securities and Markets Authority (ESMA).
The Lead Overseer may request information from CTPPs, conduct off-site investigations and onsite inspections, impose penalties on CTPPs, and issue recommendations to CTPPs. It also cooperates with other EU institutions, including the European Union Agency for Cybersecurity (ENISA), and with competent authorities within the EU. These support the Lead Overseer in the conduct of oversight activities and follow up on the recommendations of the Lead Overseer with the financial entities they supervise.
The ECB is one of the competent authorities supporting the Lead Overseer. ECB staff recruited for the oversight activities will work together with staff from the Lead Overseer and from other institutions and competent authorities that cooperate under the oversight framework.
And what about your team?
You will be part of the Oversight of Third-Party Providers Section in the Non-Financial Risk Experts Division of the Directorate General Horizontal Line Supervision. Our Directorate General has around 200 staff providing expertise on horizontal risk and matters relating to banking supervision. We are currently working on, among other things, financial and non-financial risks, crisis management and supervisory policy.
Our Section supports the relevant ESAs in the oversight of CTPPs under DORA. This is an exciting opportunity to join a team that is shaping an important part of Europe’s financial resilience. DORA has established a new framework of oversight for CTPPs to increase banks’ resilience to ICT-related shocks and threats. You will play a key role in bringing this framework to life. ICT risk has become one of the most significant risks to the financial system, and our work will have a real impact on the resilience of the European economy.
Our Section is also the link between the oversight of CTPPs and the supervision of banks. Where our oversight finds issues of relevance to supervised banks, we share them with supervisors within the Single Supervisory Mechanism (SSM) so they can take action to address any risks to banks. Similarly, where banking supervisors obtain insights into risks related to CTPPs, we feed this information into their oversight and make sure the root causes are addressed.
We work closely with European banking supervisors, with the relevant ESAs and with other competent authorities that are part of the CTPP oversight framework. Each CTPP is overseen by a dedicated Joint Examination Team (JET), and you will be a member of one or more JETs.
The SSM is the system of banking supervision in Europe. It comprises the ECB and the national supervisory authorities of the participating countries.
The ECB is an inclusive employer and we strive to reflect the diversity of the population we serve. We encourage you to apply irrespective of age, disability, ethnicity, gender, gender identity, race, religious beliefs, sexual orientation or other characteristics.
Your role
As an ICT Risk Expert you will:
- provide ongoing support to the activities of the Lead Overseer, execute specific tasks in accordance with Article 1(1) of the JET Regulation, and be involved in the execution and revision of the individual annual oversight plans of relevant CTPPs;
- perform desk-based reviews of policies, procedures, contractual arrangements, and financial and other relevant information of CTPPs;
- conduct on-site inspections and other reviews and assessments of CTPPs to verify compliance with ICT security standards and requirements;
- contribute to the preparation and monitoring of recommendations concerning the activities of CTPPs;
- perform other oversight activities within your area of expertise;
- comply with the applicable requirements of the JET Regulation;
- follow the information and data handling specifications and instructions provided by the “Lead Overseer coordinator” as referred to in the second sub-paragraph of Article 40(2) of DORA;
- when carrying out oversight tasks, follow oversight procedures drafted jointly by the ESAs in relation to the conduct of oversight activities and any relevant operational area, including specifications related to the use of IT tools and equipment and time management;
- comply with the confidentiality regime of the ESAs;
- engage and collaborate with Joint Supervisory Teams (JSTs) within the SSM to ensure an efficient flow of information between JETs and JSTs to the extent permitted by the confidentiality rules referred to above;
- give presentations of the work performed by JETs to other ECB business areas to the extent permitted by the confidentiality rules referred to above;
- share recommendations issued by JETs with affected JSTs and share information collected by JSTs on CTPPs with the relevant JETs to the extent permitted by the confidentiality rules referred to above.
For these roles we are seeking candidates who demonstrate the potential for growth, and we will support the selected candidates in their development of the required skills.
The position offers you excellent opportunities to shape the newly established oversight of CTPPs, having a direct impact on the regulatory framework of the EU for the benefit of consumers and investors. You will contribute to financial stability while building a network across the authorities that oversee CTPPs in the EU. You will be part of a multicultural team that strives for continuous innovation to make a positive impact on the lives of European citizens.
Qualifications, experience and skills
Essential:
- you must be a national of a Member State of the European Union or an acceding country, unless an exception is authorised by the appointing authority or unless otherwise provided for in the Staff Rules;
- a master’s degree or equivalent in computer science, computer engineering, engineering, information security, software engineering, audit, control, compliance, business administration or another relevant field (see How you can join us for details on degree equivalences);
- expertise in ICT matters and in operational risk;
- a minimum of three years’ experience in one or more of the following areas: ICT audit, ICT supervision, ICT risk management, or information security or cybersecurity risk management;
- coordination, communication, collaboration and presentation skills gained in a multicultural environment and the ability to engage with a range of internal and external stakeholders;
- the ability to draft high-quality documents, such as assessment reports;
- an advanced (C1) command of English and an intermediate (B2) command of at least one other official language of the EU, according to the Common European Framework of Reference for Languages.
Desired:
- experience in ICT audit, ICT supervision, ICT risk management, or information security or cybersecurity risk management gained within the financial services industry;
- experience in information security management system (ISMS) standards, ICT audit methodologies, ICT risk management methodologies, DORA or other EU and international information security or cybersecurity frameworks and standards, ICT risk, ICT audit or cloud security;
- experience in ICT security operations and in security technologies and tools;
- relevant professional certifications or qualifications, such as Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) or Certified in Risk and Information Systems Control (CRISC);
- experience in assessing the ICT risk of credit institutions or in assessing the resilience of ICT services provided by major service providers.
You engage collaboratively with others. You pursue team goals and learn willingly from other people’s diverse perspectives. You signal any need for change by explaining it and proposing alternative solutions. You analyse complex information effectively and can evaluate different views to arrive at solutions. You know and anticipate stakeholder needs.
You are motivated to contribute to the ECB’s mission, to serve the citizens of the EU as a member of a public institution and to work with colleagues from all over Europe. You are aware of your strengths and areas for development and know what motivates you to perform at your highest level.
Working modalities
Working for European banking supervision involves spending short periods of time abroad for on-site visits or training, and potentially also longer periods during on-site inspections. This important part of our work is complemented by an environment in which well-being and a good work-life balance are fostered. Playing a role in European banking supervision also entails collaborating in multinational and multicultural teams and operating in the context of different national frameworks, for which a strong ability to use different EU languages for business purposes is an asset.
Further information
The formal title for this position will be Supervisor.
The working arrangements for staff working in JETs are laid down in the
JET Regulation. Should an employment offer be made, the arrangements provided for in Article 5 of that Regulation will be communicated to you in advance.
Prior to the commencement of your duties, you will be subject to ethics clearance. As a member of a JET, you will also be required to complete a standard declaration template affirming the absence of any conflicts of interest and to complete a declaration of confidentiality.
As a member of a JET, you will be required to carry out tasks with due skill, care and diligence, without bias, acting solely in the interests of the European Union, without regard to self-interest or national interests. You must not seek or accept instructions from any government, authority, organisation or individual, except for the ESAs, unless it pertains to your employment conditions at the ECB.
Membership of a JET is subject to authorisation by the Lead Overseer.
Some of the contracts will be convertible into permanent contracts after three years subject to individual performance and organisational needs.
For additional information on this specific vacancy, you can speak to the Chair of the Selection Panel, Juha Ojansivu, on +49 (0)69 1344 6802 between 9:00 and 11:00 on Tuesday, 20 May.
Application and selection process
The recruitment process for this position will be conducted remotely. It will include a pre-recorded video interview in the pre-selection phase and – if you are invited to participate in the subsequent selection phase – a written exercise, a presentation and an online interview.
If you are not selected for this position but are still considered suitable, you will be placed on a reserve list (see step 4 of
How we hire), from which you might be considered for similar positions within the ECB.
