European Insurance and Occupational Pensions Authority and other ESAs publish first DORA annual overview showing one third of major ICT incidents were cross border

The European Insurance and Occupational Pensions Authority, alongside the European Banking Authority and the European Securities and Markets Authority, has published the first annual overview of major ICT-related incidents reported under the Digital Operational Resilience Act. Based on 3,383 major incidents reported by EU financial entities, or 0.18 per entity subject to DORA, the report finds that ICT risk is increasingly borderless and interconnected. Around one third of incidents had a cross-border impact, while the direct effect on clients and transactions was generally limited. The report links these findings to DORA’s harmonised framework for managing, classifying and reporting major ICT-related incidents, which is designed to ensure that all relevant competent authorities are notified and can respond in a more coordinated way. System failures and external events were the main drivers of incidents, pointing to the need for stronger third-party risk management, closer oversight of outsourced services and better coordination with service providers during remediation. Only 10% of reported incidents were cybersecurity-related, but the authorities note that increasingly capable AI-driven tools should prompt financial entities to strengthen cybersecurity measures and maintain high standards.