The European Securities and Markets Authority, together with the European Banking Authority and the European Insurance and Occupational Pensions Authority, has published the first annual overview of major ICT-related incidents reported under the Digital Operational Resilience Act. Covering 2025, the report identifies 3,383 major incidents across the EU financial sector, or 0.18 per entity subject to DORA, and finds that ICT risk is increasingly cross-border and interconnected. Around one third of incidents had a cross-border impact, while the direct effect on clients and transactions was generally limited. System failures and external events were the main drivers of incidents, and almost one third originated from failures attributable to third parties, including ICT service providers, other financial entities and infrastructure providers. The report points to a need for stronger third-party risk management, oversight of outsourced services and close coordination with providers during incident response and remediation. Cybersecurity incidents accounted for 10% of the total, but the authorities said financial entities should maintain high cybersecurity standards as highly capable AI-driven tools evolve. More than 60% of reported incidents were in the credit sector and 16% in payments, which the report links to market structure, existing reporting experience and the highly digital, customer-facing nature of those services rather than to sector-specific weaknesses. The report also notes divergent reporting practices across sectors and jurisdictions in the first year of DORA implementation. In 2026, the European Supervisory Authorities plan to continue monitoring incidents, provide further guidance to competent authorities, introduce a new IT tool with automated validation checks and feedback mechanisms, and focus on follow-up of open incidents to improve reporting quality and supervisory convergence.

Original source Back to tracker