The European Supervisory Authorities (ESAs), led by the European Banking Authority (EBA), published on 3 June 2026 their first joint report on major ICT-related incidents under the Digital Operational Resilience Act (DORA). The report covers incidents reported from January to December 2025 and aims to enhance transparency and supervisory convergence across the financial sector.
The report, mandated by DORA, provides an analysis of the number, nature, and impact of major ICT incidents reported by financial entities. It identifies key trends, including a rise in ransomware attacks and third-party service disruptions, and offers recommendations for improving incident reporting and response. The ESAs stress the importance of robust operational resilience frameworks and call for enhanced cooperation between financial institutions and national competent authorities.
Stakeholder impact Financial institutions face increased scrutiny and potential compliance costs as they must align with DORA's incident reporting requirements. National supervisors gain a clearer picture of systemic risks, enabling more targeted oversight. Consumers benefit from improved transparency and potentially greater stability of financial services. However, the report's recommendations may lead to additional administrative burdens for smaller entities, which could struggle with the complexity of DORA compliance.
Expected follow-up The ESAs will continue to monitor ICT incidents and update the report annually. The European Commission may use the findings to assess the effectiveness of DORA and consider further legislative or regulatory adjustments. Financial entities are advised to review their incident management processes in light of the report's recommendations.
← Atlas › News › Digital & Communication