ESAs Publish the First Report on DORA Major ICT-Related Incidents

The Digital Operational Resilience Act (DORA) marks a watershed for European financial stability, mandating uniform reporting of ICT‑related incidents across banks, insurers and asset managers. By aggregating data from thousands of events, the ESAs’ inaugural report reveals that 3,383 major incidents were logged in the past year, translating to an average of 0.18 incidents per regulated entity. While most disruptions stemmed from system failures or external shocks, the fact that roughly 33% had cross‑border repercussions underscores the sector’s reliance on shared infrastructure and the need for a coordinated supervisory lens.

Cross‑border spillovers amplify systemic risk, compelling firms to tighten third‑party risk management and enforce rigorous oversight of outsourced service providers. The report’s finding that only a tenth of incidents were cybersecurity‑related should not breed complacency; the rapid evolution of AI‑driven tools could transform routine glitches into sophisticated attacks. Financial entities must therefore embed robust cyber‑hygiene practices, conduct continuous threat modelling, and maintain agile incident‑response playbooks that can scale across jurisdictions.

Looking ahead, DORA’s standardized reporting framework equips regulators with real‑time visibility, enabling faster mitigation and fostering a culture of resilience. For market participants, the implications are clear: invest in integrated risk platforms, strengthen collaboration with cloud and fintech partners, and prioritize AI‑enabled security solutions. Firms that proactively adapt to these expectations will not only reduce operational loss potential but also gain a competitive edge in an increasingly digital and interconnected financial landscape.