2026-06-03
EU supervisors publish first DORA report on major ICT incidents in finance
EU supervisors publish first DORA report on major ICT incidents in finance
The European Supervisory Authorities — EBA, EIOPA and ESMA — published their first annual report on major ICT-related incidents under the Digital Operational Resilience Act on 3 June 2026. The report gives the first EU-level view of major technology incidents reported by financial entities under DORA.
The ESAs reported that 3,383 major ICT-related incidents occurred in 2025. Around one third had cross-border impact, showing how shared infrastructure, outsourced services and interconnected financial business models can turn technology failures into broader operational resilience concerns.
The report identifies system failures and external events as major drivers of incidents and highlights the importance of third-party risk management, oversight of outsourced services and coordination with ICT service providers during incident response and remediation. Financial entities should assess whether their incident reporting, classification, escalation and supplier-management processes are producing reliable evidence for supervisors.
Why it matters
DORA is now operating as a practical supervisory framework for ICT risk in the financial sector. The first reporting cycle shows that resilience is not limited to cyberattacks; it also covers governance, outsourcing, service continuity, incident response and the quality of reporting to competent authorities.
What to watch
Financial entities should expect continued supervisory focus on incident data quality, cross-border impact, third-party dependencies and the effectiveness of remediation. The report may also inform future supervisory priorities and expectations for ICT third-party risk oversight.