DORA ICT Incident Report: What EU Firms Must Know Now
The three European Supervisory Authorities, EBA, EIOPA and ESMA, have jointly published the first annual report on major ICT-related incidents under the Digital Operational Resilience Act (DORA). The headline finding is stark: roughly one third of the 3,383 major incidents reported by EU financial entities carried cross-border impact, exposing how deeply shared infrastructure and outsourced services have woven firms' operational risk profiles together. The report also flags the rising threat posed by highly capable AI-driven tools and calls on financial entities to lift their cybersecurity standards accordingly.
What DORA Requires and Why This Report Exists
Article 22(2) of DORA obliges the ESAs to publish a yearly summary of major ICT-related incidents across the EU financial sector. Each edition must cover at minimum: the number of incidents, their nature, their operational and client impact, remedial steps taken, and costs incurred. This first report fulfils that statutory obligation and establishes the baseline against which future years will be measured.
How DORA Defines a Major ICT Incident
Under DORA, an ICT-related incident is any unplanned single event, or series of linked events, that compromises the security of network and information systems and adversely affects the availability, authenticity, integrity or confidentiality of data or services. A major ICT incident is one that carries a high adverse impact on systems supporting critical or important functions. That distinction matters for classification, notification timelines and the remediation record firms must maintain.
Key Findings from the First Annual Report
Three themes stand out across the data.
Cross-Border Exposure Is Already Significant
Of the 3,383 major incidents logged, approximately one in three had a cross-border dimension. The ESAs attribute this to interconnected infrastructure and the common use of shared third-party service providers. The implication is that a disruption at a single technology vendor or cloud provider can propagate across multiple financial entities in different Member States simultaneously.
System Failures and External Events Drive Volume
The dominant causes were system failures and external events rather than deliberate attacks. This reinforces the regulators' emphasis on third-party risk management, effective oversight of outsourced services, and having clear incident response and remediation arrangements with service providers from the outset.
Cybersecurity Incidents Are a Smaller but Growing Share
Cybersecurity-related incidents accounted for roughly 10% of the total. The direct impact on clients and transactions was generally limited across the dataset as a whole. The ESAs nonetheless treat that 10% figure as a priority concern, specifically because AI-driven attack tools are growing in capability. Financial entities are expected to match that escalating threat with equivalent improvements in their defences.
What the Report Means for Compliance Teams
Firms subject to DORA, which includes credit institutions, investment firms, payment institutions, crypto-asset service providers and a range of other regulated entities, face concrete obligations that this report sharpens. Understanding how DORA ICT risk rules affect crypto accounting workflows is now essential for any firm holding or processing digital assets.
Third-Party Risk Is the Pressure Point
The concentration of cross-border incidents traced back to shared infrastructure tells compliance and risk teams exactly where to focus. Contractual arrangements with ICT third-party service providers, SLA monitoring, exit strategies and concentration risk assessments all need to be current and tested. Regulators will use subsequent annual reports to track whether firms have acted.
The broader EU digital asset regulatory picture is also evolving rapidly. EU lawmakers are assessing DeFi, staking and NFT regulatory frameworks, which will extend operational resilience obligations further into the digital asset space over time.
FAQs
Which entities must report major ICT incidents under DORA?
DORA applies to a wide range of EU financial entities, including banks, investment firms, payment and e-money institutions, crypto-asset service providers, insurance undertakings and certain ICT third-party service providers designated as critical. Each in-scope entity must classify, manage and notify major ICT incidents to its competent authority within defined timeframes.
How is a major ICT incident different from a standard ICT incident under DORA?
A standard ICT incident is any unplanned event that compromises network and information system security with an adverse effect on data or services. It becomes a major incident when the adverse impact is assessed as high and the affected systems support critical or important functions of the entity. The classification determines notification obligations and the level of regulatory scrutiny that follows.
What does "cross-border impact" mean in practice for firms?
An incident has cross-border impact when it affects operations, clients or services in more than one EU Member State, typically because the underlying infrastructure or the affected third-party provider serves entities across multiple jurisdictions. The ESAs use this classification to assess systemic risk and to coordinate supervisory responses across national competent authorities.
What actions should firms take following this report?
At a minimum, firms should review their ICT third-party risk registers, verify that incident classification criteria align with DORA definitions, confirm that notification procedures and timelines are documented and tested, and assess whether current cybersecurity controls are calibrated for AI-assisted attack scenarios. The ESAs' findings on system failures also point to a need for stronger contractual and operational oversight of outsourced services.
Will the ESAs publish further DORA incident reports?
Yes. Article 22(2) of DORA mandates an annual report. Each successive edition will build on the baseline established by this first publication, allowing regulators and the market to track trends in incident volumes, causes, cross-border spread and the effectiveness of remediation efforts across the EU financial sector.
Source: ESMA
FAQ
DORA applies to a wide range of EU financial entities, including banks, investment firms, payment and e-money institutions, crypto-asset service providers, insurance undertakings and certain ICT third-party service providers designated as critical. Each in-scope entity must classify, manage and notify major ICT incidents to its competent authority within defined timeframes.
A standard ICT incident is any unplanned event that compromises network and information system security with an adverse effect on data or services. It becomes a major incident when the adverse impact is assessed as high and the affected systems support critical or important functions of the entity. The classification determines notification obligations and the level of regulatory scrutiny that follows.
An incident has cross-border impact when it affects operations, clients or services in more than one EU Member State, typically because the underlying infrastructure or the affected third-party provider serves entities across multiple jurisdictions. The ESAs use this classification to assess systemic risk and to coordinate supervisory responses across national competent authorities.
At a minimum, firms should review their ICT third-party risk registers, verify that incident classification criteria align with DORA definitions, confirm that notification procedures and timelines are documented and tested, and assess whether current cybersecurity controls are calibrated for AI-assisted attack scenarios. The ESAs' findings on system failures also point to a need for stronger contractual and operational oversight of outsourced services.
Yes. Article 22(2) of DORA mandates an annual report. Each successive edition will build on the baseline established by this first publication, allowing regulators and the market to track trends in incident volumes, causes, cross-border spread and the effectiveness of remediation efforts across the EU financial sector.
