On 3 June 2026, the European Supervisory Authorities (ESAs) published their first annual overview of major ICT-related incidents in the EU financial sector based on a reporting mechanism established by the Digital Operational Resilience Act (DORA).
Article 22(2) of DORA mandates the ESAs to report yearly on major ICT-related incidents, setting out at least: (i) the number of major ICT-related incidents, (ii) their nature, (iii) their impact on the operations of financial entities or clients, (iv) remedial actions taken, and (v) the costs incurred.
Key findings
The findings in the report include:
- Overall, 3,383 major incidents (corresponding to an average of 0.18 major ICT related incidents per financial entity subject to DORA) were reported in 2025 across all financial sectors in the EU, with the majority of them occurring in the credit and payments sectors.
- Two thirds of major incidents resulted in no or minor disruption to clients and transactions, suggesting that in fact the timely detection, paired with effective incident response and containment measures were often successful in limiting operational harm and spillover effects.
- Around one third of reported major incidents had a cross-border impact.
- Almost one third of major incidents originated from failures attributable to third-parties (including ICT third-party providers, other financial entities, and infrastructure providers).
- Divergent reporting practices across sectors and jurisdictions are still observed. These divergences reflect the early stage of implementation of the new major incident reporting framework introduced by DORA.
Next steps
Going forward the ESAs will continue to monitor and analyse major incidents and provide additional guidance to competent authorities, supporting greater supervisory convergence and improved reporting practices.