One in three serious ICT incidents recorded in 2025 affected more than one European Union (EU) member state. In other words, these were incidents with cross-border impact. The first assessment of the DORA Regulation confirms that managing technological risk requires an approach capable of integrating infrastructure, ICT providers, and business continuity.

 

On June 3, 2026, the European Supervisory Authorities, the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), published the first report on serious incidents related to Information and Communications Technologies (ICT) reported by financial institutions under the DORA (Digital Operational Resilience Act).

It should be noted that, as of January 17, 2025, the DORA Regulation is mandatory for banks, insurers, payment institutions, investment firms, and other financial institutions in the EU. Its objective is to strengthen the digital operational resilience of the financial sector through a common framework for preventing, detecting, responding to, and recovering from incidents related to the digital environment.

The report analyzes 3,383 serious ICT incidents that occurred in 2025 and were closed with a final report by February 5, 2026. It constitutes the first official assessment of the new serious incident reporting regime under DORA. One of the findings is particularly revealing: 1,056 incidents had a cross-border impact and affected entities, services, or infrastructure located in more than one Member State. This figure reflects the extent to which the European financial system now functions as a deeply interconnected ecosystem.

Table of Contents

DORA's first year, in numbers

The report provides the first comprehensive overview of the patterns of serious ICT incidents in the European financial sector. Among its key findings are:

 

  • 3,383 serious ICT incidents included in the 2025 analysis.
  • An average of 282 incidents per month.
  • 1,056 incidents had a cross-border impact.
  • 29 % of the incidents were caused by a failure attributable to third-party service providers (TPPs), including ICT providers, other financial institutions, or infrastructure providers.
  • Two out of every three incidents had no or only a limited impact on customers and transactions, in a context where the report highlights early detection and the rapid implementation of corrective measures as key factors in mitigating the impact.
  • Only about 10 % were classified as cybersecurity-related incidents. Most were caused by system failures, external events, and process failures.

 

The figures show how business continuity increasingly depends on complex digital infrastructures with multiple external dependencies: cloud providers, telecommunications operators, data centers, managed cybersecurity services, payment platforms, digital identity providers, and critical technology services, among others.

For financial institutions, this means that operational resilience goes beyond protecting their own infrastructure: they must understand their external dependencies, monitor technology providers, and have an infrastructure ready to operate in distributed environments.

The relatively low incidence of cybersecurity-related incidents compared to other causes also broadens the traditional view of technological risk. Operational resilience requires not only protecting against cyberattacks but also ensuring system availability and mitigating the impact of operational or provider failures.

 

Early detection reduces the impact

Another significant finding: two out of every three incidents had no or only a limited impact on customers and transactions. The report breaks down this figure as follows:

 

  • Customers: About 60% of incidents did not affect any customers or affected fewer than 1,000.
  • Transactions: 32% of incidents did not affect any transactions, and an additional 26% affected fewer than 1,000.
  • Other financial institutions: Less than 18% of incidents had an impact on other financial institutions or infrastructure with which an institution maintains operational, contractual, or transactional relationships.

 

However, this majority of incidents with limited impact does not mean there were no severe incidents: 30 incidents, 1% of the total, affected more than one million transactions, primarily in the credit and payments sectors. The report presents this data precisely as a counterpoint: the general trend was limited impact, but a minority of cases had far-reaching consequences, confirming that managing low-frequency, high-impact incidents remains a challenge.

For the majority of cases, that is, setting aside that minority of severe incidents, the report itself points to two main factors to explain the limited impact: the timely detection of incidents and the rapid implementation of corrective measures, which made it possible to contain their effects before they escalated into broader disruptions. Added to this is the robustness of the safeguards already in place at these institutions, which helped mitigate the contagion effect even in a highly interdependent environment.

For financial institutions, continuous monitoring, infrastructure observability, and the ability to identify anomalies in real time have emerged as fundamental elements for reducing the operational impact of an incident. The speed of response is one of the key factors that distinguishes a contained incident from one with more serious consequences.

 

Measuring operational resilience

The information collected under DORA makes it possible, for the first time, to build a consistent knowledge base on serious ICT incidents recorded in the European financial system.

This information makes it easier to:

 

  • Identify common trends.
  • Compare trends in incidents.
  • A better understanding of where the main technological risks are concentrated.
  • Guiding supervisory priorities and operational resilience strategies.

 

Beyond the numbers, the report is the first European tool that allows for a structured analysis of how technological risk is evolving in the financial sector.

 

Network infrastructure: a strategic component

The report does not go into detail about network infrastructure as such, but its main findings—the interconnectedness of the financial system, the extent of dependencies on third parties, and the importance of early detection to mitigate the impact—all point to the same underlying idea: operational resilience increasingly depends on the ability to manage distributed digital infrastructures and the technological dependencies they entail.

In this context, at Saima Systems, we believe that network infrastructure occupies a strategic position within any operational resilience plan. It is the point where users, offices, data centers, critical applications, cloud services, and third-party providers converge, and the layer from which consistent security policies can be applied, communications can be segmented, critical applications can be prioritized, observability can be enhanced, and operational continuity can be ensured.

SD-WAN platforms address precisely this need: they enable centralized management of distributed infrastructures, improve network visibility, and strengthen resilience against incidents. Solutions such as SAIWALL Secure SD-WAN, from Saima Systems, help financial institutions apply these principles to their existing infrastructure and provide them with greater control over connectivity, security, and service continuity.

DORA’s first report highlights one key conclusion: continuity in the European financial sector depends on managing distributed infrastructures and controlling technological dependencies. From our perspective, network infrastructure is one of the key elements for making this possible in an increasingly interdependent financial system.

 

To learn more

Full technical report: 2025 Report on major ICT-related incidents, Joint Committee of the ESAs (JC 2026 16), June 3, 2026.