DORA major ICT-related incidents report logs 3,383 disruptions in EU financial sector

Europe’s financial sector logged 3,383 major ICT-related incidents in the first annual DORA major ICT-related incidents report, and the numbers point to more than routine technical trouble. The European Supervisory Authorities — the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — released the inaugural findings this week, giving regulators and financial institutions their clearest look yet at how digital disruptions move across borders and test the EU’s financial infrastructure.

The report is the first of its kind under the Digital Operational Resilience Act, or DORA, which was introduced to bring consistency to how financial entities across the bloc manage, classify and report technology-related disruptions. In practice, that makes the new report a milestone for tracking ICT risk at scale across the European financial system.

Under Article 22(2) of DORA, the European Supervisory Authorities ICT incidents report must be published annually. It has to cover the number and nature of incidents, their operational impact on financial entities or their clients, remedial actions taken and the costs incurred. The framework applies broadly across the EU financial sector, including banks, insurers, pension funds, investment firms and other regulated entities.

What the first DORA major ICT-related incidents report shows

An ICT-related incident under DORA is any unplanned event or series of linked events that compromises the security of a financial entity’s network and information systems and adversely affects data availability, authenticity, integrity or confidentiality. A “major” incident is one with a high adverse impact on systems supporting critical or important functions.

That distinction matters because the 3,383 incidents captured in the report are not minor glitches. Instead, they represent serious disruptions with measurable operational consequences for the EU financial sector cybersecurity picture.

Across the bloc, those 3,383 major incidents equal an average of 0.18 incidents per entity subject to DORA. On paper, that may sound manageable. However, the broader picture looks more serious: around one third of the incidents had a cross-border impact, highlighting how interconnected Europe’s financial infrastructure has become through shared services and common technology providers.

Direct harm to clients and transactions was generally limited. Still, limited client harm is not the same as limited systemic risk, especially when incidents can spread across multiple markets.

Why the incidents happened and what stood out

System failures and external events were the main causes of major ICT-related incidents, not deliberate attacks. That points directly to the risks embedded in outsourced services and shared infrastructure, which modern finance depends on every day. When a third-party provider fails, or when an external event disrupts a core system, the impact can quickly spread across multiple financial institutions.

For that reason, the report emphasizes the need for strong third-party risk management and close oversight of outsourced services. Incident response and remediation also need to happen in coordination with service providers rather than in isolation. For financial entities that rely heavily on cloud providers, software vendors and other technology partners, that is a clear signal to tighten governance structures.

Only 10% of incidents were cybersecurity-related

Here is the detail that may surprise many observers: only 10% of the major ICT incidents reported under DORA were linked to cybersecurity. The large majority came from non-malicious causes, including system failures and operational disruptions rather than attacks.

That figure may seem reassuring at first glance. However, the ESAs do not present it as a reason to ease off. Even at 10%, cybersecurity incidents in a sector this large can still create significant damage, and the direction of travel matters just as much as the current number.

How DORA changes incident reporting across the EU

Before DORA, the EU financial sector worked under a fragmented patchwork of national reporting rules. Different authorities received different information, response timelines varied and cross-border coordination was uneven. The DORA major ICT-related incidents report mechanism changes that by creating a harmonised framework.

Now, financial entities must follow consistent rules for managing, classifying and reporting ICT disruptions. Every major incident must be notified to all relevant Competent Authorities, regardless of where the entity is based or where the disruption begins.

That notification requirement is more than an administrative step. By ensuring that all relevant authorities receive the same information at the same time, DORA supports a faster and more coordinated response. For incidents that affect financial entities in several member states at once, that coordination can help prevent a contained event from becoming a cascading failure.

The first annual report also shows that the system is working in practice. Entities are filing reports, authorities are receiving them, and the ESAs now have a consolidated view that did not exist before DORA.

Why AI-driven tools matter for future cybersecurity risk

The ESAs also include a forward-looking warning: the rapid evolution of highly capable AI-driven tools should push financial entities to raise, not relax, their cybersecurity standards. As AI becomes more accessible, it can support more sophisticated attack methods that move faster and with greater precision than older approaches.

That warning sits alongside a key data point from the report. Cybersecurity accounted for only 10% of incidents in this reporting period, but that baseline could change as AI tools become more widely available to malicious actors and as financial systems grow more automated and interconnected.

For now, the message from regulators is clear. Financial entities should strengthen cybersecurity measures, including third-party risk management, incident response preparedness and cybersecurity architecture, as AI-driven tools continue to evolve.

The wider implication is strategic. A financial system that depends more heavily on shared infrastructure is also more exposed to cascading failures. DORA’s reporting regime gives regulators better visibility into those vulnerabilities, and what happens next will shape European finance’s resilience in the years ahead.

FAQ

What is defined as a major ICT-related incident under DORA?

Under DORA, an ICT-related incident is a single event or a series of linked unplanned events that compromises the security of a financial entity’s network and information systems and adversely affects data availability, authenticity, integrity or confidentiality. A major ICT-related incident is one with a high adverse impact on systems supporting critical or important functions.

How does DORA improve incident reporting in the EU financial sector?

DORA harmonises and streamlines the previously fragmented reporting regime by introducing consistent requirements for managing, classifying and reporting ICT incidents. It also ensures that all relevant Competent Authorities are notified, which helps support a faster and more coordinated cross-border response.

What are the main causes of major ICT-related incidents according to the report?

The report says system failures and external events were the main causes of major ICT-related incidents in the EU financial sector. That finding highlights the importance of strong third-party risk management and oversight of outsourced services.

How does AI affect cybersecurity risks in the financial sector?

The ESAs say advances in AI-driven tools are raising the stakes for cybersecurity in finance. As these tools become more capable, they could be used to carry out more sophisticated attacks, so financial entities need to keep strengthening their cybersecurity posture.

What is the role of Competent Authorities in managing ICT-related incidents?

DORA requires that all Competent Authorities relevant to a major ICT-related incident be notified. That coordinated notification system helps authorities respond more quickly and with better alignment, especially when incidents affect multiple EU member states.