What are you looking for?

Newsfeed
June 26, 2026

ESAs publish first annual report on major ICT-related incidents under DORA

On the 3rd of June 2026, the European Supervisory Authorities (“ESAs”), namely the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”), and the European Securities and Markets Authority (“ESMA”), published their first annual report on major ICT-related incidents reported under the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (“DORA”). The report, published pursuant to Article 22(2) of DORA, provides a first indication of the operational resilience challenges facing the EU financial sector following the application of DORA and offers insight into the types of incidents, vulnerabilities and dependencies most commonly affecting financial entities.

The below is a non-exhaustive summary of the most salient findings of the report.

Number of Major ICT-Related Incidents

During 2025, financial entities across the European Union reported a total of 3,383 major ICT-related incidents, corresponding to an average of 0.18 major incidents per financial entity subject to DORA. The majority of incidents were reported by entities operating within the credit and payments sectors1.

The ESAs note, however, that the number of incidents should not be viewed as evidence of inherent weaknesses within the financial sector, given that increasing digitalisation, complexity and interconnectedness make a certain degree of operational disruption unavoidable. Rather, resilience is reflected in the ability of financial entities to identify, manage and contain incidents effectively.

Cross-Border Impact

Approximately one-third of all major ICT-related incidents had a cross-border impact, reflecting the increasing interconnectedness of the financial sector through shared infrastructures, common ICT services and cross-border business models2. In this regard, the report identifies the February 2025 TARGET Services outage and the April 2025 Iberian Peninsula blackout as two events which generated a significant number of incident reports, and which illustrate the extent to which disruptions affecting critical infrastructure may have wider consequences for the provision of financial services across multiple jurisdictions.

Main Causes of Incidents

System failures emerged as the principal driver of major ICT-related incidents, accounting for approximately 51% of all major incidents. External events represented 27% of incidents, whilst payment-related incidents accounted for 18%3. The findings are particularly noteworthy given that the majority of major incidents originated from operational and technological failures rather than cybersecurity events, underscoring the broad scope of risks that financial entities are required to manage under DORA.

Third-Party Risk

Approximately 29% of major ICT-related incidents originated from failures attributable to third-party providers, highlighting the extent to which financial entities rely on external providers for the delivery of critical services4. The findings also illustrate the operational resilience implications that may arise where disruptions affect such providers.

Cybersecurity Incidents

Cybersecurity-related incidents accounted for approximately 10% of major incidents reported during 20255. Whilst the relatively low number of such incidents may suggest that existing safeguards and detection mechanisms are generally effective, the ESAs stress the importance of maintaining high cybersecurity standards in light of increasingly sophisticated AI-driven tools.

Impact on Clients, Transactions and Financial Counterparts

Despite the volume of major ICT-related incidents reported during 2025, the report finds that their impact on clients, transactions and financial counterparts was generally limited. According to the ESAs, two-thirds of reported incidents resulted in no or only minor disruption, indicating that financial entities were, in most cases, successful in detecting, containing and addressing incidents before they developed into more significant operational events6.

Remedial Measures

The report notes that financial entities generally adopted a combination of immediate remedial measures aimed at restoring service continuity and stabilising affected systems, with longer-term corrective actions designed to reduce the likelihood of recurrence7.

Where incidents originated from third-party providers, remediation efforts frequently involved coordination with the relevant service provider to implement additional safeguards and controls.

The report reinforces several important themes emerging from DORA’s first year of application:

  • ICT risks are increasingly cross-border and interconnected in nature;
  • system failures and external events remain the principal drivers of major ICT-related incidents;
  • the relatively low number of cybersecurity incidents may suggest that existing safeguards and detection mechanisms are generally effective, although continued vigilance remains necessary; and
  • the importance of DORA’s harmonised incident reporting framework in supporting supervisory awareness and coordination across the EU financial sector.

Against this backdrop, local experience has shown that the regulatory and practical significance of a major ICT-related incident under DORA extends well beyond the submission of the relevant reports. In practice, these matters often require close legal and regulatory support across the incident management lifecycle, from initial detection, assessment and classification, through to regulatory notifications, supervisory engagement with the Malta Financial Services Authority (and, where applicable, the Information and Data Protection Commissioner), incident closure, and the implementation of remedial actions. A major ICT-related incident would also require a subsequent review of the entity’s ICT risk management framework, governance arrangements, and control environment. As recent experience has shown, the effective management of a major ICT-related incident requires not only an operational and technical response, but also a clear and structured approach to the legal, regulatory, and governance considerations arising in the process.

1Paragraph 1 of the Executive Summary of the 2025 report on major incidents (Joint-ESA report under Article 22 of DORA)
2Point 17 of Section 3.1 of the 2025 report on major incidents (Joint-ESA report under Article 22 of DORA)
3Point 18 of Section 3.2 of the 2025 report on major ICT-related incidents (Joint-ESA report under Article 22 of DORA)
4Point 19 of Section 3.2 of the 2025 report on major ICT-related incidents (Joint-ESA report under Article 22 of DORA)
5Point 18 of Section 3.2 of the 2025 report on major ICT-related incidents (Joint-ESA report under Article 22 of DORA)
6Paragraph 2, Page 4 of the 2025 report on major ICT-related incidents (Joint-ESA report under Article 22 of DORA)
7Section 3.4 Points 26, 27, 28 of the 2025 report on major ICT-related incidents (Joint-ESA report under Article 22 of DORA)

Share

Go Back

Author

Luigi Farrugia

Senior Associate (Malta)
View Profile

Jessica Camilleri

Advocate (Malta)
View Profile

Related Articles

More Insights
Newsfeed image
Publication
June 25, 2026

Matthew Attard on safeguarding Malta’s maritime reputation
Newsfeed image
Publication
June 25, 2026

Marine casualties, investigations and liabilities in Malta: AIJA TLLC cross-border questionnaire
Newsfeed image
Publication
June 24, 2026

Legal 500 Renewable Energy Country Comparative Guide 2026: Malta
01
image

How can we assist?

Contact us