The first annual Report on major ICT-related incidents under the European Union’s Digital Operational Resilience Act (DORA) signals the transition from implementation readiness to supervisory evidence.
The European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) – reported 3,383 major information and communication technology (ICT) incidents across EU financial entities in 2025. Around one third had a cross-border impact, although the direct effect on clients and transactions was generally limited.System failures and external events were the main drivers, while only 10% of reported incidents were related to cybersecurity. The findings point to a resilience challenge that is increasingly about shared infrastructure, outsourced services, incident classification and the ability to produce consistent evidence under supervisory timeframes.
DORA, which has applied since 17 January 2025, already requires financial entities to identify, manage, classify, escalate and report major incidents affecting information and communication technology (ICT). But the first annual incident report gives supervisors a broader view of how disruption is being recorded across the EU financial system, where the main drivers are emerging and how interconnected those incidents have become.
From Resilience to Evidence
DORA requires financial entities to define and implement an ICT incident-management process to detect, manage and notify incidents. It also requires firms to record all incidents and significant cyber threats, and to establish processes for consistent monitoring, handling and follow-up so that root causes are identified, documented and addressed.
That turns incident response into a data and governance challenge. A firm needs to know which service has been affected and which business line owns it. It also needs to establish whether the service supports a critical or important function, whether clients or counterparties are affected, whether transaction processing has been disrupted, whether data has been lost or compromised, and which third-party dependencies are involved.In many firms, that information may be distributed across multiple systems including cyber operations, technology service management, operational risk, outsourcing registers, business-continuity plans, communications teams and compliance reporting workflows.
Classification Becomes a Control
The classification of an incident is now one of the most important control points in the resilience framework. DORA requires firms to assess incidents using criteria that include the number and significance of clients or financial counterparts affected, the number or value of transactions affected, reputational impact, duration, geographical spread, data loss, service criticality and economic impact. Conversely, a firm may need to evidence why a disruptive event was not classified as major.
That places pressure on governance. Compliance, risk, technology and operations teams need a common classification framework, clear materiality thresholds and a defensible audit trail for decisions made during the incident. Firms should be ready to demonstrate for supervisors that they have a consistent basis for deciding when to report.
Timelines create workflow risk
The EBA’s joint technical standards on major incident reporting set out time limits of four hours after classification and 24 hours after detection for the initial notification, 72 hours for the intermediate report and one month for the final report. The standards also establish the information to be collected and the templates and procedures for reporting major incidents and notifying significant cyber threats.
Those timeframes make manual evidence gathering fragile. Firms cannot wait until an incident has been stabilised before determining who owns the report, which facts are required, where impact data sits or who approves the notification. They need pre-defined escalation paths, mapped data sources, agreed sign-off routes and tested workflows.
The reporting obligation also creates a need for version control. Initial notifications may be based on incomplete information. Intermediate reports may refine the impact assessment. Final reports need a fuller account of causes, remediation and cost. Each stage should be consistent enough to show a developing understanding of the case, rather than disconnected snapshots produced by different teams.
Board evidence
DORA also brings incident reporting into senior governance. Firms must ensure that (at least) major incidents are reported to senior management and that the management body is informed of their impact, response and additional controls.
DORA further requires post-incident reviews after major incidents that disrupt core activities, including analysis of causes, response promptness, forensic analysis where appropriate and whether established procedures were followed.
This is where operational resilience becomes a board-evidence issue. A management body may receive a summary of the event, but the supervisory question is likely to be how the summary is supported by consistent underlying evidence.
The same applies to remediation. Firms need to show not only that an incident was reviewed, but that controls were updated, tracked and incorporated into the risk-management framework.
The ESA report found that a third of the major incidents had cross-border impact, with system failures and external events being the main drivers.
DORA’s next phase is likely to be measured not only by the quality of resilience policies, but by the consistency of the evidence that supports them. Firms will need to show that they can detect disruption, classify it consistently, escalate it quickly, report it accurately and preserve the evidence needed for supervisory review.
Subscribe to our newsletter
