The 2025 ESA DORA report shows 29% of major ICT incidents originated from third-party providers. What it means for regulated firms.

The 2025 ESA DORA report shows 29% of major ICT incidents originated from third-party providers. What it means for regulated firms.

Earlier this month, on 3 June 2026, the three European Supervisory Authorities published their 2025 report on major ICT-related incidents under Article 22 of DORA. It analyses 3,383 incidents reported across the EU financial sector. One finding deserves particular attention from compliance teams at regulated firms.

1. What the report is

The report is a joint publication by the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority, issued through their Joint Committee. It responds to the mandate in Article 22(2) of the Digital Operational Resilience Act, which requires the ESAs to report each year, on an anonymised and aggregated basis, on major ICT-related incidents reported by financial entities.

The analysis covers major incidents that occurred in 2025 and for which a final report had been submitted by the cutoff date of 5 February 2026. A final report had not been received by that date for approximately 15% of the major incidents notified during the year, so those incidents were excluded from the analysis.

2. The headline numbers

Financial entities reported a total of 3,383 major incidents in 2025, an average of 282 per month. Measured against the population of entities subject to DORA, that works out at 0.18 major incidents per financial entity.

The incidents were concentrated in two sectors. More than 60% occurred within the credit sector, and a further 16% affected the payments sector. The report is careful to note that this concentration reflects market structure, the existence of similar reporting requirements before DORA, and the digital and customer-facing nature of those services, rather than any sector-specific weakness.

By type, system failures accounted for 51% of incidents, external events for 27%, and payment-related incidents for 18%. Those categorised as cybersecurity-related made up 10% of the total.

3. The figure that matters for outsourcing

The finding most relevant to day-to-day compliance work concerns where these incidents came from. According to the report, 29% of major incidents originated from ICT third-party service providers, rather than from the reporting financial entity itself.

The ESAs frame this directly. They state that dependencies on third-party providers, including those not designated as critical, constitute an area of supervisory attention, and they underline the need for financial entities to strengthen their third-party risk management frameworks.

What this means in practice: a major incident can become reportable for your firm even where the immediate failure sits outside your own environment. The problem may start with a provider you depend on, but the reporting obligation remains with the financial entity affected.

4. Two events that show the wider dependency risk

The report also gives two examples from 2025 that show how disruption can move through shared infrastructure and external dependencies.

The first was the TARGET2 incident on 27 February 2025. The report describes how core TARGET Services were unavailable for several hours, suspending securities settlement, payments, ancillary system processing and liquidity transfers. The root cause was identified as a rare hardware malfunction in a core storage component.

The second was the blackout on the Iberian Peninsula on 28 April 2025, which disrupted operations in Spain and Portugal for around ten hours. The report notes that while major banks' and insurance undertakings' data centres kept running on backup power, branches, telecommunications and point-of-sale terminals were widely affected, reducing the overall volume of operations.

Neither event began inside the financial entities that ended up reporting it, yet both led to major incident reporting by the entities involved. They illustrate the wider operational risk created by shared infrastructure and external dependencies.

5. Cross-border reach

The report also records that a third of major incidents (1,056 in total) had a cross-border impact, meaning their effects extended beyond the country where they were reported. In about 8% of all major incidents, more than ten countries were affected. The ESAs link this to the growing reliance on shared infrastructures, common ICT services and cross-border business models.

6. What it means for regulated firms

The 29% figure is more than a statistic. For firms relying on outsourced ICT services, it invites a specific question: can you identify the providers behind your critical or important functions, and would your register of information stand up if a provider's disruption became your reportable incident?

DORA applies across the EU financial sector, covering investment firms, electronic money institutions, payment institutions, crypto-asset service providers, fund managers and others. Article 19 requires financial entities to report major incidents, with an initial notification due within four hours of classification as major and no later than 24 hours from awareness. The report's own conclusion points the same way, identifying robust third-party risk management, effective oversight of outsourced services, and close coordination with providers during incident response as central to operational resilience.

Know what supervisors are focusing on. Third-party and outsourcing oversight is now a clear part of operational resilience expectations under DORA. Our seminars work through the practical implementation of these obligations for regulated firms.

Explore seminars at cpds.academy

The substantive analysis in this article is based solely on the Joint ESA Report on major ICT-related incidents (JC 2026 16, 3 June 2026). It is provided for general information and does not constitute legal or compliance advice.

Nikolas Demetriades

Article by Nikolas Demetriades

Published 22 Jun 2026