Decoding the world of cybersecurity

DORA incidents expose cross-border finance risk

EU supervisors’ first DORA incident report shows how ICT failures and shared providers can spread disruption across financial services.

DORA incidents expose cross-border finance risk
Summary
  • EU supervisors counted 3,383 major ICT-related incidents across financial entities in 2025.
  • Around one third of incidents had cross-border impact.
  • System failures and external events were the main drivers, while cybersecurity incidents accounted for 10% of reports.

EU financial supervisors have put a first set of numbers behind the Digital Operational Resilience Act, with the European Securities and Markets Authority and the other European Supervisory Authorities reporting 3,383 major ICT-related incidents across financial entities in 2025.

Around one third of those major incidents had cross-border impact. The figure gives supervisors a clearer view of how disruption can move through financial services when banks, insurers, investment firms, market infrastructure, and payment providers depend on common technology, outsourced services, and shared platforms.

The first annual DORA incident report was prepared by the European Banking Authority, the European Insurance and Occupational Pensions Authority, and ESMA. The report is required under DORA, which mandates annual reporting on the number, nature, impact, remedial actions, and costs of major ICT-related incidents.

The supervisory update said system failures and external events were the main drivers of reported incidents. Cybersecurity incidents accounted for 10% of reports, although supervisors linked the findings to the need for robust cybersecurity standards, effective third-party risk management, oversight of outsourced services, and coordination with providers during response and remediation.

The findings show why DORA treats digital resilience as more than breach prevention. A serious financial-sector incident may be caused by malicious activity, software failure, infrastructure outage, operational dependency, or service provider disruption. The effect can still be material where trading, payments, customer services, reporting, or internal controls are affected.

The cross-border figure will be especially relevant to firms with European operations spanning several jurisdictions. A financial entity may be regulated nationally, but its cloud services, identity systems, messaging platforms, market data feeds, managed technology providers, and core software suppliers often operate internationally. An incident in one layer can create operational pressure across many supervised entities at once.

Supervisors now have a baseline for asking more detailed questions about concentration risk, provider dependency, recovery assumptions, and the quality of incident reporting. Financial entities will need to show that reported incidents are being used to improve testing, response planning, communications, and recovery, rather than being treated as administrative filings.

The report also moves the discussion beyond cyber incidents alone. Most major ICT incidents were not classified as cybersecurity incidents, but they still affected resilience. That distinction will shape board and risk committee work, because digital resilience programmes need to cover technology failure, supplier fragility, change management, and operational dependency as rigorously as intrusion and ransomware scenarios.

DORA’s first reporting cycle gives regulators a stronger evidence base for future supervision. The next phase will test whether financial entities can turn incident data into better controls across providers, systems, recovery plans, and governance.

×