ESAs publish first Report on major ICT incidents under DORA: an average of 282 major incidents per month. 60% occurred within the credit sector.

More than three quarters of all 2025 major incidents affected two sectors: over 60% occurred within the credit sector, while an additional 16% affected the payments sector. Around one third of incidents (i.e. 1,056 major incidents) had a cross-border impact. System failures and external events were the main drivers. Only 10% of the reported incidents were related to cybersecurity.

The European Supervisory Authorities (ESAs) published their first annual report on major ICT-related incidents under DORA, offering a new EU-wide view of digital operational resilience in the financial sector. Based on 3,383 major incidents reported across the EU, with an average of 282 major incidents per month (see Figure 1), the report shows that ICT risks are increasingly interconnected and borderless.

Spikes in the number of incidents reported in February, April and May can be explained by specific cross-border and/or cross-sectoral events, including: (i) the TARGET2 outage occurred in February 2025, which caused the suspension of securities settlement, payments, ancillary system processing and liquidity transfers for several hours; (ii) the energy blackout in the Iberian Peninsula occurred in April 2025, which disrupted normal operations across all sectors; and (iii) two separate events affecting multiple entities in May 2025.

As shown in Figure 2, more than three quarters of all 2025 major incidents affected two sectors:
more than 60% occurred within the credit sector, while an additional 16% affected the payments sector.

At this stage, it is not possible to draw definitive conclusions based on the number of incidents only, and the number of incidents per se is not a risk indicator. Differences across sectors may be attributed to a variety of factors, including:

(i) the existence of similar reporting obligations prior to DORA: for instance, both the credit and the payments sector have been subject to major incident reporting since 2018 under the revised Payment Services Directive (PSD2)10;

(ii) the structure of the market: in the credit sector there are instances of many smaller entities belonging to the same group. These generally rely on the same shared infrastructure and are serviced by large TPPs for core banking, payment processing and connectivity, creating a multiplier effect: a single failure can generate dozens of related major incidents11; and

(iii) the nature of the services provided: CIs and PIs operate some of the most digitally intensive and consumer‑facing services in the financial system, such as payments, online and mobile banking, and card processing, which are used at massive scale every day. This increases both the exposure surface and the likelihood that disturbances are quickly detected and reported.

In 2025, the vast majority of incidents were classified as major due to mainly two classification criteria: (i) duration and service downtime, and (ii) clients, financial counterparts and transactions affected (labelled as “non-monetary” in Figure 3).

Around 16% of major incidents were classified as major on the basis of a reputational impact, meaning they were reflected (or could potentially be reflected) in the media, resulted in repetitive complaints from different customers, caused the FE to (likely) not be able to meet regulatory requirements and/or caused the FE to (likely) lose customers with a material impact on its business.

Around one third of incidents (i.e. 1,056 major incidents) had a cross-border impact, reflecting the sector’s reliance on shared infrastructures, outsourced services and third-party providers (see Figure 4). Around one third of these cross-border major incidents affected one or two Member States. However, in about 8% of all major incidents, more than 10 countries were impacted, highlighting the interconnectedness of the financial sector and the borderless nature of ICT risks. Direct impacts on clients and transactions were generally limited.

System failures and external events were the main drivers, highlighting the need for robust third-party risk management, effective oversight of outsourced services and close coordination with service providers during incident response and remediation.

While only 10% of the reported incidents were related to cybersecurity, it is key that financial entities uphold to the highest cybersecurity standards to be able to keep pace with the potential use of highly capable AI-driven tools.

In terms of type of incidents, system failures were reported for 51% of all major incidents, followed by external events (27%) and payment-related incidents (18%). However, these figures need to be interpreted carefully, potentially due to specific reporting practices15. While the nature of major incidents appears to be the same across most sectors, those reported by entities in the MTI sector were predominantly classified as system failure or process failure (see also Figure 5), as expected due to the nature of the services provided (i.e. data and reporting services).

Overall, the high number of system failures across all sectors may be caused by the complexity of the digital infrastructure which exposes FEs to more software issues.

Analysis of cybersecurity incidents
In cases of cybersecurity incidents, FEs are required to indicate the threats and techniques used by the threat actor. In 2025, the majority of attacks were concentrated in two categories: Distributed Denial of Service (DDoS) attacks (33%), and data exfiltration and manipulation, including identity theft (31%).

As highlighted in Figure 6, these two types of attacks appear to occur significantly more frequently in the credit sector. This could be explained by a combination of factors: the scale of their digital services, the concentration of sensitive data, and their role in processing payments. In addition, the relatively mature monitoring and incident-detection frameworks in place at many credit institutions may lead to earlier identification and more consistent reporting of cybersecurity incidents.

In contrast, the remaining techniques are more evenly distributed across sectors, with the exception of ransomware attacks, which appear to target especially the insurance sector. This may be explained by the fact that insurance companies hold large volumes of sensitive health and financial data.

These findings illustrate the growing systemic dimension of ICT risk as well as the importance of resilience and supervision in strengthening the financial sector’s ability to prevent, absorb and recover from future incidents.