The European Supervisory Authorities (EBA, EIOPA and ESMA) have released the first annual report on major ICT-related incidents under the Digital Operational Resilience Act (DORA). While many organisations viewed DORA as another regulatory hurdle, the findings suggest something much bigger.
The report paints a picture of a financial sector operating in an environment where ICT disruptions are increasingly interconnected and cross-border. This shows that any disruption is capable of creating systemic consequences. For financial institutions, the takeaway is simple: resilience can no longer exist only on paper. It must be demonstrated in practice.
The report analysed 3,383 major ICT-related incidents reported across the EU financial sector during 2025. That averages approximately 282 major incidents every month. Credit institutions and payment providers accounted for the largest share of reported incidents.
Perhaps more importantly, around one-third of all major incidents had cross-border impacts. This highlights how interconnected financial services have become and how a disruption in one location can quickly affect customers, partners, and operations across multiple countries.
The report also found that major incidents were not driven exclusively by cyber attacks. System failures, technology outages, and third-party dependencies featured prominently. In other words, operational resilience is no longer just a cybersecurity challenge. It is a business resilience challenge.
This distinction matters because many organisations still focus most of their preparedness efforts on preventing cyber attacks. DORA's first year of reporting demonstrates that resilience requires organisations to prepare for technology failures, supplier disruptions, cloud outages and other similar complex cascading events.
One of the strongest messages from the report is that ICT risk is becoming increasingly systemic. Financial institutions rely on shared cloud platforms, outsourced service providers, software vendors, payment networks, and interconnected digital ecosystems. A failure affecting one critical provider can have consequences across multiple organisations and jurisdictions.
This is exactly why DORA places such a strong emphasis on ICT third-party risk management. Organisations are expected not only to understand their own systems but also their dependencies on external providers and the concentration risks those dependencies create.
The findings reinforce a reality that cybersecurity professionals have been discussing for years: organisations do not operate in isolation. Their resilience is increasingly tied to the resilience of their suppliers, technology partners, and service providers.
Many organisations initially associated DORA with incident reporting requirements. While reporting remains important, the regulation is ultimately focused on something much broader.
DORA requires financial entities to identify, classify, escalate, manage, recover from, and learn from ICT-related incidents. Reporting is simply the visible outcome of those activities. The challenge is that organisations cannot meet reporting obligations if they struggle with internal decision-making during a crisis.
Questions such as:
These decisions must be made quickly and consistently under pressure.
Without clearly defined processes and tested response procedures, reporting deadlines become difficult to achieve. DORA's reporting framework is designed to encourage organisations to build operational maturity long before a major incident occurs.
One of the most interesting findings in the ESAs' first DORA incident report is the recognition that operational disruptions are no longer viewed as exceptional events that can always be prevented. The report explicitly acknowledges that the increasing digitalisation and interconnectedness of the financial sector make operational incidents "to some extent unavoidable."
Rather than focusing solely on the number of incidents reported, the ESAs argue that resilience should be measured by how effectively organisations manage and contain those incidents once they occur.
This is a message that will be familiar to anyone who has attended CM-Alliance's NCSC Assured Cyber Incident Planning and Response training. Since 2020, we have consistently emphasised that while prevention remains important, organisations must accept that not every incident can be stopped. The real measure of maturity is not whether an organisation experiences an incident, but how effectively it prepares for responding to and recovering from one.
In many ways, DORA is now formalising at a regulatory level what resilience practitioners have been advocating for years: resilience matters more than the unrealistic pursuit of complete prevention.
The data strongly supports this view. Despite 3,383 major ICT-related incidents being reported across the EU financial sector in 2025, the report found that two-thirds resulted in no or only minor disruption to clients and transactions.
According to the ESAs, this suggests that timely detection, effective incident response, and rapid containment measures were successful in limiting operational harm and preventing wider spillover effects.
The same conclusion is reinforced later in the report, which notes that the direct impact on clients and transactions was limited in most cases, likely because organisations were able to detect incidents quickly and implement remedial actions before they escalated into broader disruptions.
This is where many financial institutions still have work to do. An operational resilience policy may explain what should happen during an incident. But a playbook explains exactly how it happens.
Well-designed incident response playbooks provide clear escalation paths and response actions tailored to specific scenarios. For example, the response to a ransomware attack differs significantly from the response to a cloud service outage or a major technology malfunction.
Yet many organisations still rely on generic incident response plans that provide limited operational guidance when a real crisis unfolds.
Under DORA, organisations are expected to demonstrate repeatable and effective response capabilities. Playbooks help transform high-level requirements into practical actions that teams can execute under pressure.
This is one reason why many financial institutions are now reviewing and modernising their incident response documentation to align with DORA expectations.
Having a playbook is important. Knowing whether it works is even more important. DORA places significant emphasis on digital operational resilience testing. Regulators want organisations to demonstrate that their plans, controls, processes, and teams can perform effectively during realistic disruption scenarios.
This is where tabletop exercises and cyber resilience testing become critical. A well-designed exercise can reveal:
These are precisely the types of issues that often emerge during real incidents. The organisations that perform best during crises are rarely the ones with the thickest policies. They are the ones that have practised their response, challenged assumptions and refined their processes before an incident occurs.
The first DORA incident report should serve as a wake-up call for organisations that still view resilience as a compliance exercise.The report confirms that major ICT incidents are frequent, interconnected, and increasingly capable of creating cross-border disruption. It also highlights that resilience requires much more than technical controls. Decision-making, communication and third-party risk management all play a crucial role.
Financial institutions should use these findings as an opportunity to assess whether they can confidently answer the following questions:
If the answer to any of these questions is uncertain, there is work to do.
Cyber Management Alliance helps financial institutions move beyond compliance and build genuine operational resilience. Our specialists work with organisations across the financial sector to develop and review incident response plans.
We also help you create scenario-specific cyber incident playbooks and conduct realistic cyber tabletop exercises that align with DORA requirements. Our NCSC-Assured training programmes, executive cyber crisis workshops, ransomware simulations, operational exercises, and technical cyber drills help organisations validate their readiness before regulators, customers, and stakeholders put it to the test.
The first DORA incident report confirms what many security leaders already suspected. Resilience is no longer measured by the controls you implement. It is measured by how effectively your organisation responds when those controls fail. The institutions that invest in preparation today will be the ones best positioned to withstand tomorrow's disruptions.
If you're still looking for a partner who can help you achieve DORA compliance and elevate your organisational operational resilience, reach out to us today. Our bespoke solutions are curated to address the exact needs of your business, its scale, size and sector. We help you achieve compliance and go beyond it so that you feel assured in the operational resilience capabilities of your business.