On 3 June 2026, the three European Supervisory Authorities (the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority, together the ESAs) published their first annual overview of major information communication and technology (ICT)-related incidents in the EU financial sector that occurred in 2025 (Report), drawing on the reporting mechanism established pursuant to the EU Digital Operational Resilience Act (DORA).
Under DORA, a “major ICT-related incident” means an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity.
The Report highlights that ICT risks are increasingly borderless and interconnected, and the emergence of highly capable AI-driven tools means it is key for firms to uphold the highest cybersecurity measures.
Key Findings
The Report covers 3,383 major incidents reported in 2025 across all financial sectors in the EU, equating to approximately 0.18 major ICT-related incidents per financial entity subject to DORA. The majority of the incidents occurred in the credit and payment sectors.
Notably, the Report sets out the following findings:
- around one third of reported major incidents had a cross-border impact. This underscores the growing interconnectedness of the financial sector through shared infrastructures, common ICT services and cross-border business models;
- the direct impact on clients and transactions was limited in many cases, which may suggest that timely detection and effective incident response were generally effective in containing operational harm;
- system failures and external events (originating by ICT third-party providers, other financial entities and infrastructure providers) were the principal drivers of major incidents, highlighting the importance of robust third-party risk management, effective oversight of outsourced services and close coordination with service providers during both incident response and remediation; and
- while only 10% of reported major incidents were related to cybersecurity, the ESAs stress that financial entities must uphold the highest cybersecurity standards to keep pace with the potential use of highly capable AI-driven tools.
Looking Ahead
This Report establishes a baseline against which future trends can be measured. Under Article 22(2) of DORA, the ESAs are mandated to publish these annual overviews on an anonymised and aggregated basis, covering the number and nature of major ICT-related incidents, their impact on operations of financial entities or clients, remedial actions taken and costs incurred.
The Report is available here.
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2026-06-04-20-56-32-555-6a21e6809c090190672e4580.jpg)
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2026-05-29-16-52-52-141-6a19c46434616b2ba0fbd133.jpg)
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2026-05-28-23-15-52-675-6a18cca8b467c5c9830ecad5.jpg)
/Passle/5fb3c068e5416a1144288bf8/SearchServiceImages/2026-05-28-19-48-14-957-6a189bfe093a008a99f3dcd0.jpg)