The first major ICT incident report under the Digital Operational Resilience Act (DORA) has landed. Published jointly by the EBA, EIOPA and ESMA, it covers every major ICT-related incident reported across the EU financial sector throughout 2025. It is the most comprehensive picture we have ever had of operational ICT risk across the financial sector in the EU and it contains some genuinely surprising findings. Here are the ten things every GRC professional need to know.

1. 3,383 Major Incidents Were Reported

The headline number is 3,383 major ICT-related incidents reported across the EU financial sector in 2025, averaging 282 per month. When set against the total population of financial entities subject to DORA, that equates to 0.18 major incidents per entity across the year

The ESAs are clear that raw incident volume should not be read as a measure of structural weakness. Increased digitalisation, system complexity, and interconnectedness make some level of operational disruption statistically inevitable. What matters is how quickly incidents are identified, contained, and resolved - and on that measure, as we'll see later, the picture is more encouraging.

2. Credit and Payments Dominate but Context Is Everything

More than three-quarters of all 2025 major incidents were concentrated in just two sectors. The credit sector alone accounted for over 60% of all incidents, with an average of 0.57 major incidents per financial entity. The payments sector added a further 16%, at 0.23 per entity.

Before drawing conclusions about sector-specific vulnerabilities, the ESAs flag three structural reasons for this concentration.

• Both sectors have been subject to major incident reporting requirements since 2018 under PSD2, meaning they have more mature reporting cultures and are less likely to under-report.
• The credit sector in particular contains large numbers of smaller entities that often share the same core infrastructure or are serviced by the same ICT third-party provider.
• Credit institutions and payment institutions operate some of the most digitally intensive, customer-facing services in the financial system. The exposure surface is simply larger, and disruptions are detected and escalated faster.

3. System Failures Are the Biggest Threat

Perhaps the most striking finding in the entire report: when looking at the type of major incidents reported, system failures accounted for 51% of the total. External events contributed a further 27%, and payment-related incidents made up 18%. Despite the headlines, cybersecurity incidents accounted for just 10%.

4. When Cyberattacks Do Happen, DDoS and Data Theft Lead the Way

While cybersecurity incidents represent only 10% of the total, their nature is worth understanding in detail. Of those incidents where a threat actor was involved, Distributed Denial of Service (DDoS) attacks were the most common technique accounting for 33% of cybersecurity incidents. Data exfiltration and manipulation came in second at 31%.

Both of these attack types were disproportionately concentrated in the credit sector. The ESAs attribute this to the scale of digital services banks operate, the volume of sensitive customer and financial data they hold and the maturity of their monitoring and detection systems.

5. ICT Risk Has No Borders

Over 1,000 of the 3,383 major incidents had a cross-border impact, meaning their effects extended beyond the country where they were originally reported. Of those cross-border incidents, roughly one third affected just one or two additional Member States. But at the other end of the scale, around 8% of all major incidents affected more than ten countries simultaneously.

The ESAs note that more than two-thirds of cross-border incidents were linked to system failures or process failures rather than cyberattacks. This data has direct implications for incident response planning. If your entity operates across multiple jurisdictions, your response framework needs to account for cross-border notification obligations, coordination with multiple competent authorities and the possibility that the root cause sits entirely outside your own environment.

6. Third-Party Failures Caused Almost One Third of All Incidents

Almost one third of all major incidents in 2025 originated from a failure on the side of a third party including ICT third-party service providers, other financial entities, and infrastructure providers. The ESAs commented on the finding that this "underscores the need for financial entities to further strengthen their third-party risk management frameworks."

What makes this particularly significant is the scope of the problem. Many of the TPPs contributing to these incidents were not formally designated as "critical" under DORA's oversight framework. This matters because it means the risk is not confined to a small number of high-profile providers that regulators are already watching closely.

7. The Actual Impact on Clients and Transactions Was More Contained Than You Might Expect

Given the volume of incidents, the actual impact on clients and transactions is reassuringly limited. Almost 60% of all major incidents either had no impact on clients whatsoever or affected fewer than 1,000clients. At the transaction level, two thirds of incidents fell into two categories: no transactions affected (32%) or fewer than 1,000 transactions affected (26%). Only 30 incidents impacted more than one million transactions and these were concentrated in the credit and payments sectors.

The ESAs attribute this relatively benign outcome to two factors.

• Timely detection - many incidents were identified early enough that containment measures could be deployed before damage escalated.
• Effectiveness of existing safeguards - even in a highly interconnected system, the protections that financial entities have built appear to be limiting spill over effects in practice.

8. Duration and Downtime Are the Classification Triggers That Matter Most

Under DORA's classification framework, an incident becomes "major" when it meets certain materiality thresholds. The two most commonly triggered classification criteria in 2025 were duration and service downtime, and the number of clients, financial counterparties, or transactions affected. A third criterion, reputational impact, triggered classification in around 16% of major incidents.

The reputational criterion is worth unpacking. It applies when an incident was reflected (or could potentially be reflected) in the media, generated repetitive complaints from customers, caused the entity to likely fail to meet regulatory requirements or caused material customer loss.

9. Reporting Quality Is Still Inconsistent

The ESAs are refreshingly candid about the limitations of this first dataset. Divergent reporting practices across sectors and Member States are explicitly acknowledged. In some cases, entities selected only some of the applicable classification criteria rather than all that applied leading to potential underreporting of certain incident types, particularly payment-related incidents in the credit sector. Automated data quality validation rules were not fully in place for this first reporting cycle, so the ESAs had to implement manual quality assurance steps including standardising formats, harmonising country codes, translating fields submitted in languages other than English and flagging duplicate submissions.

10. AI-Augmented Attacks Are The Next Threat

The report's most forward-looking passage is brief but significant. While acknowledging that existing cybersecurity safeguards have been "generally effective" in limiting the occurrence and impact of cyber incidents in 2025, the ESAs add an explicit warning: "it is key that financial entities uphold the highest cybersecurity standards to be able to keep pace with the potential use of highly capable AI-driven tools."

This is the regulators telling the industry, in measured but unambiguous language, where they expect the threat landscape to go.AI-augmented cyberattacks are not a speculative future scenario, they are an emerging present reality.