DORA ICT Incident Reporting: What the ESAs First Annual Report Reveals

Last updated: June 2026

If your firm filed a major incident under DORA in 2025, that report has now been counted. On 3 June 2026 the three European Supervisory Authorities published their first annual report on major ICT-related incidents, putting a hard number on what used to be guesswork: how many major incidents the EU financial sector reports, where they cluster, and what causes them. For anyone who owns DORA ICT incident reporting, the value is the chance to compare your filing record against a sector baseline and see whether your classification calls look like an outlier.

That comparison now cuts both ways. Supervisors have the same baseline, and the report flags underreporting of payment-related incidents and divergent classification practices as live concerns. An authority seeing an entity report far fewer incidents than its peers has a reason to ask why.

Related reading: our DORA ICT incident reporting guide

What the ESAs published and why it exists

The document is a Joint Committee report, reference JC 2026 16, dated 3 June 2026. Article 22(2) of DORA, Regulation (EU) 2022/2554, requires the ESAs through the Joint Committee to report each year, on an anonymised and aggregated basis, on the number of major incidents, their nature, their impact on entities or clients, the remedial actions taken, and the costs incurred. This first edition leans on the first three; the cost data is thin this early.

The data comes from the reports financial entities submitted to their competent authorities under Article 19 of DORA. One methodology detail is easy to misread: the analysis only covers 2025 incidents with a final report submitted by a cutoff of 5 February 2026, and roughly 15 percent of the incidents notified in 2025 had no final report by then and were excluded. The 3,383 figure is a count of resolved, final-reported incidents, not of everything notified.

The headline numbers and what 0.18 per entity means

Financial entities reported 3,383 major ICT-related incidents across the EU in 2025, around 282 per month. Against the population subject to DORA, that is 0.18 major incidents per entity for the year.

The ESAs are blunt that this is not a scoreboard: a high count is not evidence of weakness, and a low count is not evidence of resilience. Resilience, they argue, is shown by fast detection and containment, and two thirds of major incidents caused no or only minor disruption to clients and transactions. The trap is treating 0.18 as a number to sit below; an entity with digitally intensive, customer-facing services will sit well above it for reasons unrelated to control failures.

Where the incidents concentrated: the credit and payments benchmark

More than three quarters of 2025 major incidents came from two sectors. The credit sector was more than 60 percent of the total, at an average of 0.57 incidents per entity. The payments sector, covering payment institutions, electronic money institutions and account information service providers, added about 16 percent, at 0.23 per entity.

The concentration is structural. Both sectors already reported major incidents before DORA, under the revised Payment Services Directive (PSD2) since 2018, and many smaller credit institutions share group infrastructure and the same large providers, so a single failure can spawn dozens of related incidents. A credit institution filing well under 0.57, or a payment firm far below 0.23, is not automatically a model of resilience; it may be one not escalating events its peers classify as major, the underreporting pattern the ESAs flagged for payments.

What triggered classification, and the cross-border footprint

The materiality thresholds that decide when an incident becomes major sit in the RTS on classification criteria, Commission Delegated Regulation (EU) 2024/1772. In 2025, two criteria did most of the work: the duration and service downtime of the incident, and the number of clients, financial counterparts and transactions affected. A further 16 percent were classified major on reputational impact: media coverage, repeated complaints, a likely regulatory breach, or material customer loss.

Because one incident can trip several criteria, the criteria counts exceed the incident total. That is the point teams get wrong. I have seen final reports cite only the downtime criterion when client impact and reputational impact both clearly applied, and that single-criterion habit is what makes a record look thin against peers and invites a reviewing authority to question the assessment.

On geography, about a third of major incidents, 1,056 of them, reached beyond the country where they were first reported, and roughly 8 percent touched more than 10 Member States. More than two thirds of the cross-border cases traced to system or process failures rather than attacks: the borderless pattern is driven by shared infrastructure and common providers, not a wave of pan-European cyberattacks.

Root causes and the third-party signal

By type, system failures were 51 percent of major incidents, external events 27 percent, and payment-related incidents 18 percent. Cybersecurity-related incidents were only 10 percent; among those, distributed denial of service attacks (33 percent) and data exfiltration and manipulation, including identity theft (31 percent) dominated, with ransomware concentrated in insurance. By root cause, from final reports, about half were system failures or malfunctions, external events 32 percent, process failures 19 percent, and human error 12 percent.

The number worth carrying into a board pack: almost one third of all major incidents, 29 percent, originated from a failure on the side of a third-party provider, including providers not designated as critical. The low cyber share is reassuring and lines up with the EBA Autumn 2025 Risk Assessment, where the share of banks hit by a successful attack resulting in an actual major incident fell to 28 percent from 35 percent. But third-party dependency is doing real damage through ordinary providers, not just the critical ones. If your ICT third-party risk management watches only designated critical providers, that 29 percent is the argument for widening the lens. The same logic runs through the DORA Register of Information, which the ESAs expect to link to incident data so supervisors can trace events back to concentrated provider dependencies.

What to check in your DORA ICT incident reporting

The benchmarks are only useful turned on your own filings. Start with the clock. The RTS on content and time limits, Commission Delegated Regulation (EU) 2025/301, sets the initial notification within four hours of classifying the incident as major and no later than 24 hours from awareness, the intermediate report within 72 hours of the initial notification, and the final report no later than one month after the intermediate report. The four-hour clock runs from classification, not detection. When I reconstruct an incident timeline, the gap between awareness and classification is the field that gets challenged most, because a slow classification can quietly push the four-hour window past the 24-hour backstop.

Then check your classification-criteria selection against Delegated Regulation (EU) 2024/1772, and check third-party origin. The templates in the ITS, Commission Implementing Regulation (EU) 2025/302, capture whether an incident began with a provider, and Article 7 of that ITS lets a provider submit aggregated information for multiple affected entities. If a shared provider was the source, confirm who is filing and that your own impact is still reflected, because aggregated submission does not remove your reporting footprint. Firms preparing for threat-led penetration testing under DORA already map these dependencies, and smaller entities are not exempt, though the proportionality in DORA shapes the surrounding machinery, as our note on DORA resilience testing for smaller firms sets out.

Frequently Asked Questions

What exactly did the ESAs publish on 3 June 2026?

A Joint Committee report (JC 2026 16), the 2025 Report on major ICT-related incidents. It is the first annual report required by Article 22(2) of DORA and presents anonymised, aggregated data on the 3,383 major incidents reported across the EU in 2025.

Does the 3,383 figure include every incident notified in 2025?

No. The ESAs limited the analysis to 2025 incidents with a final report submitted by 5 February 2026. About 15 percent of incidents notified in 2025 had no final report by that cutoff and were excluded, so the figure reflects resolved, final-reported incidents.

Which sectors reported the most incidents?

Credit and payments together were more than three quarters. Credit institutions alone were more than 60 percent at 0.57 incidents per entity, and payments added about 16 percent at 0.23 per entity. The report attributes this to pre-DORA reporting history, shared group infrastructure, and digitally intensive services.

What were the deadlines for reporting a major incident?

Under Commission Delegated Regulation (EU) 2025/301: an initial notification within four hours of classifying the incident as major and no later than 24 hours from awareness, an intermediate report within 72 hours of that notification, and a final report within one month of the intermediate report.

Should we worry if our incident count is below the sector average?

Not automatically, but it is worth examining. A count well below peers can reflect strong controls, or events not being escalated as major. The report raises suspected underreporting of payment-related incidents and divergent classification practices, so a low count is a prompt to check your classification calls, not a result to celebrate.

Related Articles

• DORA ICT Incident Reporting – The full walkthrough of the classification and reporting process this report measures.
• DORA Register of Information – How the register captures ICT contractual arrangements and supports critical third-party provider designation.
• DORA TLPT for European Financial Entities – What designated entities must prepare for threat-led penetration testing.
• DORA Resilience Testing for Smaller Firms – How proportionality shapes testing duties for microenterprises and smaller entities.
• PSD2 Reporting Requirements – The predecessor major-incident reporting regime for payment and credit firms.

Key Takeaways

• The ESAs published their first DORA major ICT incident annual report (JC 2026 16) on 3 June 2026, under the Article 22(2) mandate in Regulation (EU) 2022/2554.
• Financial entities reported 3,383 major incidents across the EU in 2025, an average of 0.18 per entity, but the ESAs warn the count is not a measure of resilience.
• The figure excludes roughly 15 percent of notified incidents that had no final report by the 5 February 2026 cutoff.
• Credit institutions drove more than 60 percent of incidents (0.57 per entity) and the payments sector about 16 percent (0.23 per entity), a structural concentration rather than a sign of weakness.
• Duration and client or transaction impact were the dominant classification criteria; 16 percent were classified major on reputational impact, and one incident can trip several criteria.
• About a third of incidents had cross-border reach and roughly 8 percent affected more than 10 Member States; system failures (51 percent by type) led the causes while cyber was only 10 percent.
• 29 percent of incidents originated with a third-party provider, including non-critical ones; test your filings on the four-hour-from-classification clock, criteria-selection depth versus peers, and provider origin.

How to read this report against your own filings

The first annual report turns DORA incident reporting from a private obligation into a public baseline that sits on both sides of the table. Pull your 2025 filings, line them up against the sector averages, the classification-criteria mix and the 29 percent third-party share, and treat any gap as a question to answer before a competent authority does.

Sources and References

• ESAs press release, “ESAs publish first report on DORA major ICT-related incidents”, 3 June 2026: eba.europa.eu
• ESAs, “2025 Report on major ICT-related incidents” (JC 2026 16), 3 June 2026 (PDF): eba.europa.eu
• Regulation (EU) 2022/2554 (DORA), OJ L 333, 27.12.2022: data.europa.eu
• Commission Delegated Regulation (EU) 2024/1772 (RTS on classification criteria and materiality thresholds), OJ L 2024/1772, 25.6.2024: data.europa.eu
• Commission Delegated Regulation (EU) 2025/301 (RTS on content and time limits for incident reporting), OJ L 2025/301, 20.2.2025: data.europa.eu
• Commission Implementing Regulation (EU) 2025/302 (ITS on templates and procedures for incident reporting), OJ L 2025/302, 20.2.2025: data.europa.eu

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.