DORA's First Incident Report Reveals a Financial System Tied Together by Shared Risks

Key Takeaways

• 3,383 Major ICT Incidents Reported: Financial entities across the EU reported 3,383 major ICT-related incidents in 2025, averaging 0.18 incidents per entity subject to DORA.
• Cross-Border Impact Is Common: Around one-third of major incidents affected multiple countries, underscoring the growing interconnectedness of Europe's financial sector through shared infrastructure and services.
• Third Parties Drive Many Disruptions: Nearly one-third of major incidents originated from failures involving third parties, highlighting the importance of vendor oversight and third-party risk management.
• Operational Resilience Limited Customer Harm: Two-thirds of reported incidents resulted in no disruption or only minor disruption to clients and transactions, suggesting financial institutions were generally effective at containing incidents.
• AI Raises Future Cybersecurity Concerns: While only about 10% of major incidents were cybersecurity-related, regulators warned that increasingly capable AI-driven tools will require firms to maintain strong cyber defenses.

Deep Dive

The European Supervisory Authorities recently released their first annual DORA incident report provides the first comprehensive look at major ICT-related incidents reported under DORA's new reporting framework.

In total, financial entities across the European Union reported 3,383 major ICT-related incidents during 2025. Most came from the credit and payments sectors, though the authorities caution against treating those figures as evidence that banks or payment firms are uniquely vulnerable. Those sectors entered DORA with more mature reporting obligations than many others, and their businesses tend to be highly digital and customer-facing. More digital touch-points generally create more opportunities for something to break.

The report repeatedly resists the temptation to equate incident volume with weakness. That is probably wise. Modern financial services depend on vast, interconnected technology environments. Operational incidents are not disappearing. The more useful question is what happens after they occur.

Here the findings are more encouraging. Despite the number of incidents reported and the geographical reach of some of them, the direct impact on customers was often limited. Two-thirds of major incidents resulted in either no disruption or only minor disruption to clients and transactions. Financial institutions were generally able to detect incidents quickly, contain them, and prevent them from spreading into broader operational failures.

That matters because the report paints a picture of a financial system that has become increasingly difficult to separate into neat national or organizational boundaries. Around one-third of reported major incidents had cross-border effects. Shared infrastructure, common ICT services, and multinational business models mean disruptions no longer respect jurisdictional lines. A failure originating in one country may affect customers, counterparties, or operations in several others before supervisors are even aware it has occurred.

That reality sits at the heart of DORA's reporting regime. The regulation was designed not simply to collect incident statistics but to ensure that authorities across the European Union receive consistent information quickly enough to coordinate a response. The report suggests that objective is becoming more important with every passing year.

The role of third parties appears particularly significant. System failures and external events were the largest drivers of major incidents during 2025. Almost one-third of incidents originated from failures linked to third parties, including ICT providers, infrastructure operators, and other financial institutions.

For years, regulators have warned that operational resilience increasingly depends on organizations that financial firms do not own and cannot directly control. The latest figures suggest those concerns are not theoretical. A cloud provider outage, infrastructure disruption, or failure at a shared service provider can quickly ripple across multiple firms at once.

The report stops short of framing this as a systemic vulnerability. The numbers do not need much help making that case on their own.

Cybersecurity incidents accounted for only around 10% of reported major incidents, a figure that may surprise observers accustomed to headlines dominated by ransomware attacks and data breaches. The ESAs suggest existing safeguards and detection capabilities may have helped limit the number of cyber incidents reaching the threshold for major reporting.

Still, the authorities devote unusual attention to a risk that remains more prospective than measurable. The report warns that increasingly capable AI-driven tools should prompt financial institutions to strengthen cybersecurity measures and maintain the highest standards of cyber resilience. It is not an alarmist observation.

The ESAs do not argue that artificial intelligence was a significant driver of incidents in 2025. Instead, they are pointing to the direction of travel. As AI capabilities become more sophisticated, defenders and attackers alike gain new tools. Standing still becomes its own form of risk.

The report also identifies inconsistencies in how incidents are being reported across sectors and jurisdictions. That is perhaps inevitable in the first year of a new reporting regime. DORA's incident framework only became fully operational in 2025, and supervisors are still working through differences in interpretation and reporting practices.

The ESAs expect those inconsistencies to diminish as authorities continue coordinating and refining supervisory approaches. Better data, they argue, should lead to better supervision.

The broader lesson from the first year of DORA reporting is less about the number of incidents than about the structure of the system producing them. The report describes a financial sector that remains largely successful at containing operational disruptions once they occur. At the same time, it reveals a sector whose dependencies continue to deepen.

That combination is likely to become a recurring theme in future DORA reports. The challenge facing supervisors is no longer simply understanding how individual firms fail. It is understanding how interconnected systems absorb shocks when no failure remains entirely its own.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.