ESAs publish the first report on DORA major ICT-related incidents

Digital Finance and Innovation
Joint Committee
03/06/2026

The European Supervisory Authorities (EBA, EIOPA and ESMA) today published their first annual overview of major ICT-related incidents in the EU financial sector based on a reporting mechanism established by the Digital Operational Resilience Act (DORA). It shows that ICT risks are increasingly borderless and interconnected. The authorities also note that the recent evolution of highly capable AI-driven tools should encourage financial entities to strengthen cybersecurity measures to maintain their resilience going forward.

With the objective to harmonise and streamline the reporting regime of major ICT-related incidents, DORA introduces consistent requirements for financial entities on management, classification and reporting of ICT-related incidents. By ensuring major ICT-related incidents are properly notified to all Competent Authorities involved, this mechanism allows a faster and more coordinated response in case of borderless and interconnected major ICT-related incidents, ultimately contributing to the resilience of the European financial system.

The report indicates that around one third of the 3,383 major incidents reported by financial entities in the EU (i.e. 0.18 per entity subject to DORA) had a cross-border impact, underscoring the growing interconnectedness through shared infrastructures and services. On the other hand, the direct impact on clients and transactions was generally limited. System failures and external events were the main drivers, highlighting the need for robust third-party risk management, effective oversight of outsourced services and close coordination with service providers during incident response and remediation. While only 10% of the reported incidents were related to cybersecurity, it is key that financial entities uphold to the highest cybersecurity standards to be able to keep pace with the potential use of highly capable AI-driven tools.

These findings illustrate the growing systemic dimension of ICT risk as well as the importance of resilience and supervision in strengthening the financial sector’s ability to prevent, absorb and recover from future incidents. 

Legal basis and background

Article 22(2) of the Digital Operational Resilience Act (DORA) mandates the European Supervisory Authorities (ESAs) to report yearly on major ICT-related incidents, setting out at least: (i) the number of major ICT-related incidents, (ii) their nature, (iii) their impact on the operations of financial entities or clients, (iv) remedial actions taken, and (v) the costs incurred. 

Under the Digital Operational Resilience Act (DORA), an ICT-related incident is defined as a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity’. A major ICT-related incident is an ICT-incident that has a high adverse impact on the network and information systems that support critical or important functions of a financial entity.

 

Further information:

Cristina Bonillo

Senior Communications Officer
press@esma.europa.eu

 

Tayfun Yilmaz

Communications Officer
press@esma.europa.eu

More on the same topic
New Q&As available
28/05/2026

The European Securities and Markets Authority (ESMA), the EU's securities markets regulator, has published the following question and answer:

New Q&As available
27/02/2026

The European Securities and Markets Authority (ESMA), the EU's securities markets regulator, has published or updated the following Questions and Answers:

More