While the exact amount for the entire banking sector is not fixed in public forecasts, the overall growth in digitalization investment is expected to be 22%, which will inevitably entail a proportional increase in the cost of securing new service channels and implementing AI.
Costly cyber threats
The National Bank of Moldova (NBM) will emphasize strengthening the resilience of the banking sector in 2026-2027, requiring banks to increase investments in information security and operational resilience, due to harmonization with EU regulations.
The introduction of requirements similar to European digital operational resilience standards (e.g. DORA) aims to minimize the risks of cyberattacks. Banks will be forced to revise their IT budgets upwards to protect against cyber threats. The NBM is expected to significantly strengthen its controls and the regulator is expected to implement the mechanisms of the European DORA regulation.
What is DORA
DORA harmonizes rules within the EU, replacing fragmented national approaches, to ensure unity in digital security. The EU regulation is a binding legal act from 2025, requiring EU financial institutions and their ICT vendors to not only protect themselves from cyberattacks, but also to have a guaranteed ability to recover.
A practical understanding of DORA includes ICT risk management, mandatory incident reporting, regular system testing, third-party vendor controls and direct management accountability.
DORA applies to all financial institutions in the EU as well as their critical third-party ICT providers (CTPs). Governing bodies (board of directors) are directly responsible for implementing the digital resilience strategy.
In practice, this will mean that banks and insurance organizations will need to assess current ICT risks, renegotiate contracts with vendors (especially cloud vendors), develop plans for continuous system testing, and establish reporting protocols to avoid technology failures.
“The National Bank is constantly monitoring the changes brought about by the increasing use of digital technology in the operations of financial institutions. The increasing degree of digitalization in areas such as payments, e-commerce or digital distribution of financial products requires the adoption of common and robust measures to protect digital systems,” stressed Constantin Shkendrya, Deputy Governor of the NBM.
Expensive adaptation
The main goal of the regulator this year becomes ensuring business continuity and protecting user data against the backdrop of the digitalization of the financial sector. Analysts predict that in 2026 the budgets of banking organizations in the world for cybersecurity may increase by 5-10% on average. In Moldova, this growth may be more pronounced due to the need to adapt to EU standards.
The key trends for the near future for systemically important banks, according to the banking community, are scaling up, on the one hand, and, on the other hand, maintaining a balance between business development and growing regulatory requirements.
For medium and small banks with limited budgets and resources, ready-made standard solutions that can be quickly implemented with minimal modifications are of particular importance, according to professional participants. At the same time, in 2026, the largest players will have a high share of personnel costs. As the size of the bank decreases, the share of software costs will increase.
While the bank’s total operating expenses (OPEX) remain under NBM’s control (Cost-to-Income ratio of around 50.2% in mid-2025), a significant portion of these funds is allocated to IT infrastructure maintenance and upgrades.
In 2025, maib, for example, implemented additional protection measures in response to the growth of cyber threats: together with partners, the bank launched projects to strengthen the security of bank cards and the integrity of transactions, and actively invests in information campaigns to protect against fraud.
It is possible to judge the banks’ expenditures on digitalization to some extent by indirect signs. It is expected that the revenues of Moldova IT Park residents (through which many of the banks’ software development orders pass) will reach €1 billion in 2025, a 30% increase from 2024. It is estimated that in the top five Moldovan banks the share of IT expenses in the structure of operating costs may grow to 25-27%.
State investments in cybersecurity
The government recently approved the National Cybersecurity Program for 2026-2030, which envisages an initial investment of 73 million lei to strengthen national digital resilience and operational capacities. The document directly affects banks as critical infrastructure entities.
The National Bank’s budget is not much more modest. To ensure supervision and its own infrastructure, the NBM approved for 2026 a capital expenditure budget of 173.7 million lei (of which more than 71 million lei are scheduled to be paid directly in 2026). A significant portion of these funds is earmarked for multi-year IT projects, identifying IT risk control and cybersecurity as key priorities.
An additional cost driver will be the implementation of new legislation to regulate crypto-assets by December 2026, which will require banks to spend more on monitoring and security of operations.
Since last year, the NBM has established a number of specific regulatory and technical benchmarks for the financial sector: annual testing with a one-day test of the ICT continuity plan in a backup center for critical systems (Regulation No. 29/2025), as well as in-depth testing every three years, when a full-scale test is conducted with the relocation of critical personnel to a backup location and running all processes from the backup data center.
Banks must implement monitoring systems for seven risk categories: availability, security, change, data integrity, third parties (outsourcing), compliance and ICT service concentration. There is also a big focus on data storage. This is to ensure the integrity and availability of security logs (logs) for a minimum of 12-24 months to ensure regulatory oversight.
During 2026, the NBM plans to implement three additional mandatory cybersecurity standards to strengthen the protection of payment systems. The regulator will focus on verifying how banks manage dependencies on third-party IT service providers (outsourcing) and ensure data protection in cloud services, which makes operational costs cheaper.
