DORA’s First Year of Major Incident Reporting: Six Key Takeaways From the ESAs’ 2025 Report

1. Incident Volumes Are Not a Sign of Weakness
   Perhaps the most notable signal from the ESAs is their framing of incident volumes. The report explicitly cautions that the number of major incidents should not be interpreted as a sign of structural weaknesses. The ESAs attribute the figures, being an average of 0.18 major incidents per financial entity subject to DORA, to the increasing digitalization, complexity and interconnection of the financial sector, which make operational incidents unavoidable to some extent. The concentration of incidents in the credit and payments sectors (collectively accounting for over 75% of all major incidents) is explained not by vulnerability in those sectors, but by factors such as the existence of similar reporting obligations under the revised Payment Services Directive (PSD2), market structure and the highly digital, consumer-facing nature of the services those entities provide. In other words, a high incident count may say more about an entity’s detection and reporting maturity than about the fragility of its systems.
2. Impact on Clients and Transactions Was Often Limited
   Despite the volume of reported incidents, the ESAs found that their actual impact was relatively contained. Two-thirds of major incidents resulted in no or only minor disruption to clients and transactions. In almost 60% of cases, the impact on clients was either absent or affected fewer than 1,000 clients, and two-thirds of incidents affected fewer than 1,000 transactions or none at all. Less than 18% of major incidents affected other financial counterparties. The ESAs suggest that this limited impact reflects the effectiveness of timely detection, incident response protocols and containment measures deployed by financial entities. The monetary impact was similarly modest: roughly 40% of all major incidents reported no direct or indirect costs at all, and an additional 10% of all major incidents reported costs of less than EUR 1,000.
3. ICT Risk Is Increasingly Cross-Border and Interconnected
   One-third of all major incidents (1,056 in total) had a cross-border impact, with effects extending beyond the country where the incident was reported. In approximately 8% of all major incidents, more than 10 EU Member States were affected. The report emphasizes that these figures reflect the borderless nature of ICT risks, driven by financial entities’ growing reliance on shared infrastructure, common ICT services and cross-border business models. Examples of major cross-border system outage incidents in 2025 underscored this interconnectedness, where events generated visible spikes in reported incidents across multiple sectors and jurisdictions, illustrating how a single point of failure can cascade rapidly through shared infrastructure and interconnected systems.
4. System Failures and Third-Party Dependencies Are the Main Drivers
   System failures accounted for 51% of all major incidents, followed by external events at 27% and payment-related incidents at 18%. Perhaps more critically for sourcing and vendor management professionals, almost one-third of major incidents originated from failures attributable to third parties—including ICT Providers, other financial entities and infrastructure providers. The ESAs highlight these dependencies as an area of supervisory attention and underscore the need for financial entities to continue strengthening their third-party risk management frameworks. Financial entities typically addressed third party-originated incidents through coordination with external service providers to agree on and implement follow-up safeguards. The ESAs have also signaled that financial entities’ registers of information, which centralize ICT contractual arrangements and underpin the designation of critical ICT Providers by the ESA, will further support additional analysis together with major incidents reported by financial entities to their competent authorities (i.e., regulators in EU Member States).
5. Cybersecurity Incidents Were in the Minority—but Future Risk Remains
   Cybersecurity-related incidents accounted for only 10% of total major incidents in 2025. The ESAs interpret this as evidence that effective safeguards and security measures are in place to limit the occurrence of such incidents. Among the cybersecurity incidents that did occur, Distributed Denial of Service (DDoS) attacks and data exfiltration or manipulation (including identity theft) were the most common techniques, together representing roughly two-thirds of cybersecurity incidents. Ransomware attacks appeared to target the insurance sector disproportionately, possibly because insurance companies hold large volumes of sensitive health and financial data. The ESAs caution, however, that financial entities must continue to uphold high cybersecurity standards to be able to keep pace with the potential use of highly capable AI-driven tools. The implication is clear: a low cybersecurity incident count today does not guarantee one tomorrow, and the ESAs will expect continued investment in defense capabilities.
6. Incident Reporting Practices Remain Inconsistent
   The report candidly acknowledges that reporting practices across sectors and jurisdictions are still inconsistent, reflecting the early stage of implementation of DORA’s new incident reporting framework. Data quality limitations were significant: approximately 15% of major incidents notified in 2025 lacked a final report by the cutoff date and were excluded from the analysis. The ESAs had to conduct extensive data cleansing, including standardization of formats, harmonization of identifiers and translation of fields submitted in languages other than English. The reporting on costs and financial recoveries was particularly problematic due to data quality issues. The ESAs plan to introduce a new IT tool in 2026 for competent authorities’ reporting of major incidents, together with automated validation checks and feedback mechanisms, which is expected to significantly improve data quality, collection and processing.

What This Means: Resilience Over Prevention
The overarching message from the report is one of measured reassurance combined with a clear supervisory agenda. The ESAs are less focused on whether incidents occur, acknowledging that operational disruptions are inevitable in a digitalized financial system, and more focused on whether firms can demonstrate effective operational resilience. That means robust third-party oversight and vendor management, the ability to coordinate incident response across borders and consistent, high-quality DORA-compliant reporting.

For financial entities and their ICT Providers, the key action points include:

• Invest in detection, response and recovery capabilities, with a focus on reducing incident duration and service downtime—the classification criteria most frequently triggered under DORA.
• Tighten third-party risk management and contractual protections, including robust exit strategies and business continuity arrangements for critical ICT services, given that nearly one-third of incidents originated from third-party failures.
• Build cross-border incident coordination into your operational playbook, ensuring that incident response plans account for multi-jurisdictional notification obligations and the potential for cascading impacts across shared infrastructure.
• Review and test incident reporting processes to ensure DORA compliance, paying particular attention to the timeliness and completeness of initial notifications (within four hours of classification), intermediate reports (within 72 hours) and final reports (within one month).
• Prepare for the ESAs’ forthcoming Register of Information, which will centralize ICT contractual arrangements and enable supervisors to identify concentration risks and trace incidents back to specific ICT Providers.
• Maintain and strengthen cybersecurity defenses, particularly against DDoS attacks and data exfiltration, and assess readiness for AI-driven threat vectors that the ESAs have flagged as an emerging concern.

The ESAs have made clear that they will be watching—and that the data infrastructure to support granular, cross-sectoral supervisory analysis is only going to improve from here.