European Banking Authority and other ESAs publish first DORA report showing 3383 major ICT incidents and one third with cross-border impact

The European Banking Authority, together with the other European Supervisory Authorities, has published the first annual overview of major ICT-related incidents reported under the Digital Operational Resilience Act. Covering 2025, the report identifies 3,383 major incidents across the EU financial sector, finds that ICT risk is increasingly borderless and interconnected, and shows that around one third of incidents had a cross-border impact even though the direct effect on clients and transactions was generally limited. System failures and external events were the main drivers of incidents. More than three quarters of cases were in the credit and payments sectors, and almost one third originated from failures at third parties, including ICT service providers, other financial entities and infrastructure providers, reinforcing the need for stronger third-party risk management, oversight of outsourced services and coordination during remediation. Cybersecurity incidents accounted for 10% of reports, but the ESAs say firms should maintain high cybersecurity standards as highly capable AI-driven tools evolve. The first year of DORA reporting also revealed divergent practices across sectors and jurisdictions. In 2026, the ESAs will continue monitoring incidents, provide further guidance to competent authorities and introduce a new IT tool with automated validation checks and feedback mechanisms to improve data quality and supervisory convergence. They will also use the DORA Register of Information to deepen analysis of incidents linked to critical ICT third-party providers and focus on open incidents, including overdue reports.