Albania is entering a new phase of digital transformation within the financial sector. The Bank of Albania has drafted a comprehensive regulation titled On Digital Operational Resilience, aiming to establish unified requirements for the security of networks and information systems that support financial activities. As the Albanian financial landscape becomes increasingly technology dependent, this regulation represents one of the most important steps toward safeguarding digital stability, preventing ICT risks, and protecting consumers in a rapidly evolving environment.
The scope of the regulation is extensive and covers all banking institutions, nonbank financial lending entities, electronic money institutions, payment service providers, and issuers of asset tokens operating under crypto-asset market legislation. It also includes third-party information and communication technology providers who deliver essential ICT services to Albanian financial institutions. By expanding the scope beyond traditional banks, the Bank of Albania is acknowledging the growing diversity of financial services and the critical importance of cybersecurity across every digital channel.
The draft regulation requires financial institutions to establish a strong internal governance and control framework that ensures effective and careful management of all ICT-related risks. This is not merely an administrative requirement. Its purpose is to embed a culture of digital responsibility and resilience within every level of the institution, from the board of directors to the operational units.
A key pillar of the draft regulation is the development of a comprehensive, well-documented ICT risk management system. This system must be integrated into the institution’s overall risk management framework. It must enable financial institutions to identify, assess, monitor, and manage ICT risks quickly, efficiently, and in a fully coordinated manner. The goal is to ensure a high level of digital operational resilience and continuity, even during cyber incidents, technological failures, or external disruptions.
To achieve this resilience, institutions must adopt clear strategies, policies, procedures, ICT protocols, and necessary mechanisms to protect all information assets. These include software and hardware systems, servers, networks, and physical infrastructures such as data centers, sensitive areas, and operational environments. By requiring full protection of the digital ecosystem, the Bank of Albania aims to reduce exposure to unauthorized access, data breaches, system damage, and other ICT threats that could compromise the financial stability of the country.
The draft regulation also emphasizes a clear division of responsibilities. Financial institutions must ensure appropriate separation and independence among ICT management functions, control functions, and internal audit functions, consistent with the Three Lines of Defense model. This model is widely recognized in international regulatory practice and helps prevent conflicts of interest while improving accountability across departments.
To reduce ICT risk, institutions are required to maintain updated and reliable ICT systems, technologies, and processes. These systems must be suitable for the size and complexity of the operations they support. They must also be capable of processing data accurately, handling peak transaction volumes, managing orders and messages efficiently, and supporting the introduction of new technologies when needed. Flexibility is essential, especially during periods of market stress or unexpected disruptions where demand for data processing increases significantly.
Continuous monitoring is another crucial requirement. Financial institutions must constantly supervise the security and performance of their ICT systems to detect irregularities, vulnerabilities, or failures early. Effective monitoring not only reduces the risk of attacks or technical defects but also supports rapid response measures that can prevent larger disruptions to financial services.
Additionally, the regulation calls for the use of ICT technologies and processes that ensure secure information transfer and minimize the risks of corruption or loss of data. These technologies must protect against unauthorized access, technical failures, and system defects that could impact business operations. Institutions must prevent loss of availability, integrity, authenticity, and confidentiality of data. They must also safeguard information against poor data management practices, human error, and other operational weaknesses.
The regulation is expected to enter into force on July 1, 2027. However, financial institutions will not be able to wait until then to make adjustments. From the moment the regulation is officially approved, all subject institutions will be required to begin implementing the necessary measures. They must also report their progress to the Bank of Albania every three months. This transitional period is essential to ensure full compliance and to give institutions enough time to modernize their systems, train staff, and align internal processes with the new requirements.
The upcoming regulation marks a transformational step for Albania’s digital financial environment. It brings the country closer to European regulatory standards, particularly those aligned with the Digital Operational Resilience Act (DORA). For Albanian users, customers, and businesses, this means improved protection of personal data, stronger cybersecurity, and more reliable digital financial services. For institutions, it represents a challenge but also an opportunity to modernize, innovate, and build long-term digital trust.