On 3 June 2026, the European Securities and Markets Authority (ESMA) published the 2025 joint report by the European Supervisory Authorities (ESAs) on major ICT-related incidents. The report, covering the period from 1 July 2024 to 30 June 2025, analyses the nature, frequency, and impact of significant cyber and information technology disruptions reported by financial entities across the EU. It aims to identify emerging risks and inform supervisory priorities under the Digital Operational Resilience Act (DORA).
The report consolidates incident data from the banking, securities, and insurance sectors, collected by the European Banking Authority (EBA), ESMA, and the European Insurance and Occupational Pensions Authority (EIOPA). It categorises incidents by root cause (e.g., cyberattacks, system failures, third-party disruptions), severity, and geographic distribution. Key findings include a 15% year-on-year increase in reported major incidents, with ransomware attacks accounting for 40% of all cyber-related events. The financial sector experienced an average of 12 hours of service downtime per incident, with costs estimated at €2.3 billion across the EU.
The report highlights that third-party service providers, particularly cloud vendors, were involved in 30% of major incidents, underscoring supply-chain vulnerabilities. It also notes that smaller financial institutions reported fewer incidents, possibly due to underreporting or less sophisticated detection capabilities. The ESAs recommend enhanced information-sharing among national competent authorities, regular stress testing of ICT systems, and stricter oversight of critical third-party providers.
Impact on stakeholders
Financial institutions face increased compliance costs as they may need to upgrade incident detection and reporting systems to meet DORA standards. Investors and consumers benefit from greater transparency and potentially improved operational resilience, reducing the risk of service disruptions. National regulators gain a clearer picture of systemic vulnerabilities but must allocate resources for more intensive supervision. Third-party technology providers, especially cloud firms, face tighter scrutiny and potential contractual obligations to report incidents directly to regulators.
Expected institutional follow-up
The ESAs will use the report's findings to refine DORA implementation guidelines and may propose amendments to the regulatory technical standards on incident classification. The European Commission is expected to review the report as part of its broader assessment of the EU's digital finance framework. National competent authorities are likely to increase on-site inspections and require remediation plans from entities with recurring incidents.