The Bank of Italy has published its annual horizontal analysis of major ICT incidents reported in 2025 under the Digital Operational Resilience Act. The report shows that incident volumes increased from the previous year, with most cases classified as operational incidents and about one quarter linked to cybersecurity. A key finding is the significant involvement of external ICT service providers in reported incidents. The Bank of Italy says the DORA incident reporting framework is strengthening analysis and monitoring of cyber risk across the financial sector, while the rise in incidents and the role of service providers point to the need for financial entities to maintain robust ICT risk governance and controls and to manage third party risk effectively to meet DORA requirements.
Bank of Italy2026-07-09
Bank of Italy publishes 2025 ICT incident analysis showing higher volumes and significant third party provider involvement
The Bank of Italy has published its 2025 analysis of major ICT incidents reported under DORA. It found more incidents than in the previous year, mostly operational rather than cyber-related, with around one quarter involving cybersecurity. The report also highlights significant involvement of external ICT service providers and stresses the need for strong ICT and third party risk controls.