European financial institutions reported 3,383 major ICT-related incidents during 2025 under the Digital Operational Resilience Act, according to a joint report from the European Banking Authority, European Securities and Markets Authority, and European Insurance and Occupational Pensions Authority. The findings represent one of the first large-scale datasets showing how operational outages, system failures, and cyber incidents spread across Europe's financial sector under the new DORA reporting framework. Regulators stated the data reveal a financial system increasingly dependent on shared infrastructure, external technology providers, and interconnected digital services, with DORA having entered into force in January 2025 to introduce harmonized ICT risk reporting obligations across the European financial system.
Credit Institutions Accounted for Over 60% of Reported ICT Incidents
Credit institutions accounted for more than 60% of all reported incidents, while payment firms represented another 16%. Regulators stated this concentration does not necessarily indicate structural weakness in banking or payments, but instead reflects the highly digital and customer-facing nature of those sectors, alongside pre-existing reporting obligations under PSD2.
One Third of Incidents Spread Beyond Origin Country
The data showed that operational disruption has become increasingly cross-border. Around one third of incidents spread beyond the country where they originated, while approximately 8% affected more than 10 countries simultaneously. Regulators linked this trend to growing dependence on shared technology providers, common infrastructure, and multinational business models. The report arrives as European regulators intensify scrutiny of operational resilience following several high-profile outages across payments, trading infrastructure, and banking systems during the past two years.
System Failures Represented 51% of All Reported Cases
System failures represented the largest category of incidents, accounting for 51% of all reported cases. External events represented another 27%, while payment-related incidents reached 18%. Cybersecurity-related incidents accounted for 10% of the total. The regulators stated the relatively low share of cybersecurity incidents may indicate that existing safeguards and detection systems are limiting successful attacks. At the same time, the report warned that increasingly sophisticated AI-driven cyber tools could alter the threat environment in the coming years.
Among cyber incidents, Distributed Denial of Service attacks represented 33% of reported events, while data exfiltration and manipulation accounted for 31%. Credit institutions experienced the highest concentration of those attacks because of their role in payments, digital banking, and large-scale customer data processing.
Third-Party Provider Failures Originated 29% of Major Incidents
Nearly 29% of major incidents originated from failures involving third-party providers, including ICT vendors, infrastructure operators, and outsourced service providers. Regulators stated the findings underline how operational failures at a single provider can rapidly propagate across multiple financial institutions and jurisdictions. The report noted that many financial institutions rely on common infrastructure for payments, core banking, and connectivity services. In some cases, a single outage generated dozens of separate incident reports because multiple institutions depended on the same provider.
TARGET2 Outage and Iberian Blackout Disrupted Operations in 2025
Operational outages during 2025 included several large-scale events that contributed to spikes in reporting volumes. The report specifically referenced the TARGET2 outage in February 2025, which disrupted securities settlement and payments processing for several hours, and the Iberian Peninsula blackout in April 2025, which affected operations across multiple sectors.
Two Thirds of Incidents Caused Limited Customer Disruption
Despite the number of incidents, regulators stated most disruptions caused limited downstream damage. Around two thirds of incidents either caused no disruption to customers and transactions or affected fewer than 1,000 clients or transactions. Only 1% of incidents affected more than one million transactions. The report stated rapid detection and containment measures played a central role in limiting spillover effects. Institutions generally stabilized incidents through immediate technical interventions before implementing longer-term remediation measures such as monitoring upgrades, testing improvements, and system configuration changes.
Financial counterparties also appeared relatively insulated from most incidents. Less than 18% of incidents affected other financial institutions, despite the growing interconnectedness of Europe's financial system. Regulators attributed this partly to safeguards already implemented across institutions and infrastructure operators.
Regulators Identified Reporting Inconsistencies During First DORA Year
The report highlighted inconsistencies in reporting practices across sectors and jurisdictions during the first year of DORA implementation. Around 15% of incidents notified during 2025 were excluded from the analysis because final reports had not yet been submitted by the February 2026 cutoff date. Meanwhile, approximately 93% of submissions passed quality checks and entered the final database. The ESAs stated further supervisory coordination and reporting standardization will remain a priority as DORA implementation matures. Regulators plan to continue refining incident analysis and improving data comparability across Europe's financial system.
The findings arrive as operational resilience becomes one of the defining regulatory themes across global financial markets. Over the past two years, regulators in Europe, the UK, and the US have increasingly shifted focus toward infrastructure concentration risk, cloud dependency, cyber resilience, and technology governance. Large financial institutions now operate in an environment where outages can spread rapidly across borders, counterparties, and payment systems within minutes. The DORA dataset suggests European regulators increasingly view operational resilience not as a narrow cybersecurity issue, but as a broader systemic stability challenge tied to infrastructure design, outsourcing concentration, and digital interdependence.
The report also illustrates how operational risk is evolving alongside the modernization of financial services. Mobile banking, instant payments, algorithmic trading, digital assets, and embedded finance continue increasing transaction volumes and infrastructure complexity across the industry. That growth raises the probability that operational disruptions will occur even when institutions maintain strong cybersecurity standards. For financial firms, the findings may increase pressure to strengthen third-party oversight, diversify critical providers, and improve incident containment capabilities. For regulators, the report provides an early benchmark for measuring how Europe's financial sector adapts to DORA's operational resilience framework over the coming years.
FAQ
What did European financial institutions report under DORA in 2025?
European financial institutions reported 3,383 major ICT-related incidents during 2025 under the Digital Operational Resilience Act, according to a joint report from the European Banking Authority, European Securities and Markets Authority, and European Insurance and Occupational Pensions Authority.
What percentage of ICT incidents originated from third-party provider failures?
Nearly 29% of major incidents originated from failures involving third-party providers, including ICT vendors, infrastructure operators, and outsourced service providers, according to the regulators' report.
Which major operational outages occurred in Europe during 2025?
The report specifically referenced the TARGET2 outage in February 2025, which disrupted securities settlement and payments processing for several hours, and the Iberian Peninsula blackout in April 2025, which affected operations across multiple sectors.
