The European Supervisory Authorities’ first annual report on major ICT-related incidents under DORA offers a valuable snapshot of operational resilience across the EU financial sector. The headline figures are already receiving attention: 3,383 major ICT-related incidents were reported in 2025, approximately one third had a cross-border impact, and system failures emerged as the dominant driver of disruption.
Yet the most important insight from the report is not the number of incidents reported.
The report reveals a broader shift in how supervisors understand operational resilience. DORA incident reporting is becoming more than a compliance obligation. It is gradually evolving into a supervisory intelligence mechanism capable of exposing dependency patterns, concentration risks and systemic vulnerabilities across the financial system.
The Headline Is Not 3,383 Incidents
The report recorded 3,383 major ICT-related incidents across financial entities subject to DORA during 2025. The majority occurred within the credit and payments sectors, reflecting their highly digital, customer-facing nature and existing reporting maturity.
Importantly, the ESAs explicitly caution against interpreting incident volume as evidence of weakness. In a highly digitalised and interconnected financial system, operational incidents are to some extent unavoidable.
The more relevant question is not whether incidents occur.
The relevant question is whether organisations can identify, contain, remediate and learn from them effectively.
This distinction is important because it reframes operational resilience from a prevention-only discipline to a capability discipline. Resilience is demonstrated not by the absence of disruption, but by the ability to absorb disruption without allowing it to escalate into material harm.
ICT Risk Is Becoming Increasingly Systemic
One of the most striking findings in the report is that approximately one third of major incidents had a cross-border impact.
In some cases, incidents affected more than ten countries simultaneously.
This reflects a structural reality of modern financial services. Financial institutions increasingly rely on shared infrastructures, common service providers, cloud platforms, payment networks and outsourced technology services. As a result, disruptions that originate in a single component can propagate rapidly across multiple entities, sectors and jurisdictions.
The report highlights this interconnectedness repeatedly. Operational disruptions are no longer purely local events. They are often manifestations of dependencies embedded within the wider financial ecosystem.
For supervisors, this changes the nature of operational risk analysis. Understanding what failed is no longer sufficient. Understanding how failure propagates becomes equally important.
Third-Party Risk Has Become Dependency Risk
The report finds that system failures and external events were the dominant causes of major incidents.
Almost one third of incidents originated from failures attributable to third parties, including ICT providers, infrastructure providers and other financial entities.
This finding deserves particular attention.
Traditional third-party risk management often focuses on contractual arrangements, due diligence activities and supplier oversight processes. While these remain important, the report suggests that a broader perspective is required.
The supervisory challenge is increasingly one of dependency intelligence.
Supervisors and firms need visibility into:
- Which critical services depend on common providers;
- Which providers support multiple institutions simultaneously;
- Where concentration points exist;
- How failures propagate through interconnected environments; and
- Whether remediation addresses root causes or merely restores services.
In this context, a vendor inventory is only the starting point. The greater value lies in understanding dependency chains and the resilience implications they create.
Why DORA Incident Reporting Matters
Historically, major operational incidents were largely analysed at the level of the individual institution.
DORA changes this dynamic.
Through harmonised reporting requirements, supervisors can now observe patterns across institutions, sectors and jurisdictions. Incidents that appear isolated at firm level may reveal broader dependency structures when viewed collectively.
This is perhaps the most significant long-term contribution of the DORA reporting framework.
Incident reporting is becoming a source of supervisory intelligence.
Patterns can be identified.
Concentration risks can be analysed.
Common vulnerabilities can be observed.
Cross-border propagation pathways can be understood.
The objective is no longer simply collecting incident notifications. The objective is building a clearer picture of how operational risk behaves across the European financial system.
A Positive Signal: Limited Client Impact
An equally important finding is what did not happen.
Despite the scale of reporting and the frequency of major incidents, the report concludes that direct impacts on clients, transactions and financial counterparties were generally limited.
Most incidents either had no client impact or affected relatively small numbers of customers and transactions.
This may appear counterintuitive given the degree of interconnectedness identified elsewhere in the report.
However, it suggests that many financial entities were able to detect incidents quickly, activate response procedures and implement effective containment measures before disruption escalated.
In other words, the report provides evidence that operational resilience arrangements are often functioning as intended.
The challenge moving forward is to maintain that effectiveness as technology ecosystems become more complex and increasingly dependent on external providers.
The Next Stage of Supervisory Intelligence
The report also highlights several developments expected to improve supervisory visibility in the coming years.
These include enhanced reporting tools, automated validation mechanisms, improved data quality controls and greater integration with DORA’s Register of Information on ICT third-party arrangements.
Taken together, these developments indicate a clear supervisory direction.
Future resilience oversight will increasingly focus on identifying concentrations, dependencies and systemic exposure across interconnected technology environments.
The value of incident reporting will therefore extend beyond compliance and regulatory notification.
It will contribute to a richer understanding of how operational risk emerges, propagates and can be contained across the financial system.
Conclusion
The first DORA incident report should not be viewed primarily as a catalogue of operational failures.
Its real significance lies elsewhere.
The report demonstrates that operational resilience is becoming a dependency-management challenge as much as a technology challenge. Major incidents reveal more than service disruptions. They expose shared infrastructures, concentration points, third-party dependencies and cross-border propagation pathways.
Viewed collectively, these incidents provide a new source of supervisory intelligence.
The future of operational resilience may therefore depend less on counting incidents and more on understanding what those incidents reveal about the structure of the financial system itself.
References
European Supervisory Authorities (EBA, EIOPA and ESMA). (2026). 2025 Report on Major ICT-Related Incidents: Joint-ESA Report under Article 22 of DORA (JC 2026 16). Published 3 June 2026.
Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.
Commission Delegated Regulation (EU) 2024/1772 supplementing Regulation (EU) 2022/2554 with regard to the classification of ICT-related incidents and cyber threats.
Commission Delegated Regulation (EU) 2025/301 supplementing Regulation (EU) 2022/2554 with regard to the content and time limits for major ICT-related incident reporting.
Commission Implementing Regulation (EU) 2025/302 laying down implementing technical standards regarding templates and procedures for reporting major ICT-related incidents.
Source: European Supervisory Authorities (EBA, EIOPA and ESMA), 2025 Report on Major ICT-Related Incidents – Joint-ESA Report under Article 22 of DORA (JC 2026 16), published 3 June 2026.
Regulatory Intelligence 
Leave a comment