First DORA Incident Report Published by the ESAs

The European Supervisory Authorities (EBA, EIOPA and ESMA) have published their first annual overview of major ICT-related incidents reported by financial institutions under the Digital Operational Resilience Act (DORA). The report highlights that ICT risks are becoming increasingly borderless and interconnected across the EU financial sector.

DORA introduced a harmonised framework for the management, classification and reporting of major ICT-related incidents. By ensuring that significant incidents are reported consistently to the relevant authorities, the framework supports a faster and more coordinated response to incidents with cross-border implications, ultimately strengthening the resilience of the European financial system.

Key findings from the report:

• 3,383 major ICT-related incidents were reported by financial entities across the EU in 2025.
• Approximately one-third of reported incidents had a cross-border impact, reflecting the growing reliance on shared infrastructures, technologies and service providers.
• The direct impact on clients and transactions was generally limited, indicating that many institutions were able to contain and manage incidents effectively.
• System failures and external events were identified as the main causes of major incidents, highlighting the importance of strong third-party risk management and oversight of outsourced services.
• While only 10% of reported incidents were cybersecurity-related, the ESAs note that the rapid development of highly capable AI-driven tools should encourage financial institutions to further strengthen their cybersecurity measures and resilience capabilities.

The findings underline the growing systemic nature of ICT risk and reinforce the importance of operational resilience, effective supervision and robust risk management frameworks in helping financial institutions prevent, withstand and recover from future disruptions.