System failures driving ICT disruptions in EU financial sector: DORA review

4th June, 2026

Narayani Srinivasan
esma

System failures and external disruptions dominated information and communications technology (ICT)-related incidents in the EU financial sector in 2025, a recent report concluded.

European Supervisory Authorities (ESAs), which published the first annual review published under the Digital Operational Resilience Act (DORA) on Wednesday, reported 3,383 major ICT-related incidents across banks, payment firms, insurers, investment firms, and market infrastructure operators during 2025 (see chart 1).

Chart 1: Total number of major incidents (blue bar) per month and annual average number of major incidents per month in 2025 (green line)

Source: DORA review report

Europe introduced DORA in January 2025 with an aim to enhance the operational resilience requirements of financial firms.

The ESAs comprise the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA).

The report highlighted that the highest number of incidents occurred in credit institutions (over 60%) and payment institutions and electronic money institutions (about 16%).

“Such a concentration reflects differences in market structure, the existence of similar reporting requirements prior to DORA, and the highly digital and customer facing nature of services provided in these sectors rather than sector-specific weaknesses,” according to the report.

Regulators said the number of major incidents should not be interpreted as a sign of structural weaknesses, but rather a reflection of the increasing digitalisation and interconnection of financial services.

In November, ESAs released the list of designated critical ICT third-party providers (CTPPs) under DORA.

In terms of the type of incidents, system failures were reported for 51% of all major incidents (see chart 2), followed by external events (27%) and payment-related incidents (18%).

Chart 2: Classification of major incidents by type with breakdown by sector

Source: DORA review

The report said that the high number of system failures across all sectors may be caused by the complexity of the digital infrastructure, which exposes financial entities to more software issues.

ESMA reiterated the need for robust third-party risk management, effective oversight of outsourced services and close coordination with service providers during incident response and remediation.

On the other hand, cybersecurity-related incidents accounted for 10% of the total. The report concluded that the relatively low number of cybersecurity incidents seems to show that safeguards and security measures in place are effective in limiting the occurrence of such incidents.

The regulators, however, warned that institutions must remain vigilant as threat actors increasingly adopt advanced and AI-enabled techniques.

The DORA review found that a third of major incidents (1,056 disruptions) had a cross-border impact, underscoring the growing interconnectedness through shared infrastructures and services.

Third-party dependency emerged as a key risk factor, with nearly 29% of major incidents linked to ICT service providers, infrastructure operators, or other external entities. The report stressed the importance of stronger third-party risk management and improved oversight of outsourced services.

The Joint Committee of the European Supervisory Authorities in April outlined its key areas of focus for 2025, highlighting digitalisation, cyber resilience and sustainable finance amid rising geopolitical risks and rapid technological change across EU financial markets.

Related topics