DORA: 3,383 major ICT incidents reported in 2025

The European Supervisory Authorities (ESAs) report 3,383 major ICT-related incidents in 2025 across all EU financial sectors, averaging 0.18 incidents per financial entity subject to DORA.

The majority occurred in the credit and payments sectors, reflecting their market structure and digital nature rather than inherent weaknesses.

The report emphasizes that the sheer number of incidents should not be seen as a sign of structural vulnerability.

Instead, the financial sector's resilience is demonstrated by entities' ability to promptly identify, manage, and contain these disruptions.

Indeed, two-thirds of major incidents resulted in no or only minor disruption to clients and transactions, indicating successful and timely detection, response, and containment measures that limited operational harm and spillover effects.

ICT risks are increasingly borderless, with approximately one-third of reported major incidents having a cross-border impact, underscoring the growing interconnectedness of financial entities.

System failures and external events were the predominant drivers.

Almost one-third originated from third-parties, including ICT service providers, highlighting the critical role of robust third-party risk management and oversight.

Existing safeguards appear effective in limiting cybersecurity incidents, yet financial entities must maintain high standards to counter potential AI-driven threats.

Supervisory reporting practices still show divergences, reflecting DORA's early implementation.

The ESAs plan continued monitoring and guidance to enhance data quality and supervisory convergence.