The European Supervisory Authorities (EBA, EIOPA, and ESMA) on Wednesday published their first annual overview of major ICT-related incidents in the EU financial sector, covering 3,383 incidents reported under the Digital Operational Resilience Act (DORA).
Around one-third had cross-border impact, which the ESAs said underscores “growing interconnectedness through shared infrastructures and services.”
System failures and external events were the main drivers. The ESAs linked those findings to the need for stronger third-party risk management, tighter oversight of outsourced services, and closer coordination with providers during incident response.
Only 10% of incidents were cybersecurity-related. The ESAs said direct impact on clients and transactions was generally limited but urged firms to raise cybersecurity standards as AI-driven tools evolve.
DORA, which took effect on 17 January 2025, harmonised incident classification and reporting requirements across the EU’s financial sector. The ESAs previously streamlined the reporting template from 84 to 59 fields and reduced the initial notification to seven mandatory fields.
The report gives the market its first bloc-wide incident benchmark since DORA’s implementation and feeds into the ESAs’ broader resilience programme, which includes cost and loss reporting guidelines and oversight of critical ICT third-party providers.
