ESAs Release First Report on DORA ICT-Related Incidents in EU Finance

2 min readSources: National Law Review

The ESAs published their first annual report on major ICT incidents under DORA.

Why it matters: Legal and compliance teams in finance need these insights to align with DORA’s operational resilience and reporting rules. Understanding incident trends helps improve regulatory compliance and risk management amid evolving cyber threats.

  • 3,383 major ICT-related incidents reported by EU financial entities in 2025.
  • About one-third of these incidents had cross-border effects across the EU.
  • System failures and external events drove most incidents; cybersecurity accounted for only 10%.
  • DORA mandates consistent incident management and annual ESA reporting on incident impacts and costs.

On June 3, 2026, the European Supervisory Authorities (ESAs)—including the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA)—released their inaugural overview of major ICT-related incidents reported under the Digital Operational Resilience Act (DORA) in the EU financial sector. The report covers 3,383 incidents reported by financial entities across the European Union in 2025 (ESMA press release).

Approximately 33% of these incidents had cross-border impacts, highlighting the interconnectedness and systemic risk potential within EU finance. The main causes identified were system failures and external events; cybersecurity incidents represented only about 10% of the total incidents reported (ESMA report).

DORA, which harmonizes operational resilience requirements for financial entities, mandates consistent management, classification, and reporting of ICT incidents. Specifically, Article 22(2) requires the ESAs to publish an annual report detailing the number, nature, impact, and remedial actions of major ICT-related incidents, as well as the costs incurred (ESMA press release).

The ESAs emphasized the evolving threat landscape, noting that "the recent evolution of highly capable AI-driven tools should encourage financial entities to strengthen cybersecurity measures to maintain their resilience going forward." This underscores the importance of enhancing defenses amid rapid technological advancements (ESMA commentary).

While detailed data on remedial actions and financial costs per incident were not included in this initial report, the overview provides legal and compliance teams critical insights to adapt their operational resilience programs as per DORA requirements.

By the numbers:

  • 3,383 — major ICT-related incidents reported in 2025 across the EU financial sector
  • 33% — incidents with cross-border impact within the EU
  • 10% — proportion of incidents caused by cybersecurity threats