Lessons From 3,383 Disruptions: What Actually Triggers Major Incidents Under DORA
June 3, 2026
The European Supervisory Authorities (ESAs) have published their first comprehensive report on major ICT-related incidents reported under the Digital Operational Resilience Act (DORA). Documenting 3,383 major incidents across the EU financial sector during 2025, this data establishes an empirical baseline for operational resilience.
For Chief Risk Officers, CISOs, and financial executives, these findings provide clear guidance for strategic planning and resource allocation. The data challenges several common industry assumptions, shifting the focus from external cyber threats to the critical importance of internal IT governance and third-party dependencies.
1. The “Reporting Maturity Bias” Across Financial Sectors
The high-level metrics in the report indicate a significant concentration of reported incidents in specific areas of the market. More than three-quarters of all major incidents in 2025 occurred within just two sectors: Credit Institutions (60%) and Payment Institutions (16%).
| Sector | Share of Total 2025 Major Incidents |
|---|---|
| Credit Institutions (Banks) | 60% |
| Payment Institutions | 16% |
| All Other Sectors Combined | 24% |
While this distribution might suggest that banking and payment infrastructure is inherently vulnerable, it actually indicates a profound reporting maturity bias.
The Regulatory Context
The credit and payment sectors have been subject to mandatory major incident reporting since 2018 under the revised Payment Services Directive (PSD2). Consequently, their internal monitoring systems, escalation protocols, and compliance teams are highly developed.
Additionally, these sectors manage highly digital, consumer-facing services that process transactions at a massive scale daily. This continuous operational exposure ensures that technical disruptions are noticed immediately by automated monitoring systems or by the users themselves.
For entities operating in other sectors—such as asset management, insurance, and crypto-asset services—the strategic takeaway is clear: a low incident count does not automatically indicate superior security. It is highly probable that these sectors experience a similar baseline of operational friction but suffer from under-detection. Their internal frameworks may not yet be mature enough to identify when a localized technical disruption crosses the specific thresholds required for a DORA “major incident” notification.
2. Internal IT Governance as the Primary Source of Operational Risk
For several years, security strategies have been heavily influenced by narratives of sophisticated, external cyberattacks against financial institutions. While external threats remain a serious concern, the ESAs’ data reveals a different operational reality.
Cybersecurity-related incidents accounted for only 10% of the major incidents reported in 2025.
The primary drivers of operational disruption in the EU financial infrastructure were internal and technical: system failures and malfunctions caused 51% of all major incidents, while process breakdowns contributed an additional 19%.
| High-Level Root Cause Category | Impact Share (%) |
|---|---|
| System Failure / Malfunction | 51% |
| External Event | 32% |
| Process Failure | 19% |
| Human Error | 12% |
| Cybersecurity Incident | 10% |
(Note: Total percentages exceed 100% because a single major incident can be linked to multiple root causes.)
These metrics indicate that organizations frequently over-allocate risk budgets to advanced perimeter defense and threat intelligence tools while underfunding basic IT maintenance, software testing, and configuration management. A poorly validated software deployment, an unmapped code dependency, or an incorrect database configuration is statistically much more likely to trigger a mandatory DORA reporting window than an external malicious actor.
True operational resilience requires a balanced approach to risk budgeting. Organizations must complement their cybersecurity defenses with significant investments in robust IT lifecycle management, rigorous regression testing, and strict change-management governance.
3. Third-Party Risks and the Reality of Regional Breakdowns
A central pillar of the DORA framework is Third-Party Risk Management (TPRM). The 2025 data validates this emphasis, showing that 29% of all major incidents originated from a Third-Party Service Provider (TPP).
The report highlights a significant concentration risk. Because the financial sector relies on a small number of dominant cloud providers, core banking platforms, and payment systems, a failure at a single provider impacts multiple institutions simultaneously. This interconnectedness explains why 33% of all reported incidents in 2025 had cross-border impacts, with 8% affecting more than 10 EU Member States.
The Iberian Peninsula power outage of April 2025 serves as a clear example of how external infrastructure dependencies create operational vulnerabilities.
Case Study: The 2025 Iberian Grid Failure
On April 28, 2025, a major electrical grid failure caused a 10-hour power outage across Spain and Portugal. From an internal technical perspective, the primary data centers of the major financial institutions in the region functioned correctly using backup generators.
However, broader business operations were severely disrupted because secondary infrastructure failed. Telecommunication companies lost power, causing widespread network outages. As a result, clients could not access mobile banking platforms, retail branches lost connectivity, and point-of-sale (POS) terminals could not process card transactions.
The Iberian grid failure demonstrates that organizations cannot entirely transfer operational risk through outsourcing. A financial entity can secure its own servers and maintain redundant data centers, but it remains vulnerable to systemic infrastructure failures in the wider region.
Realistically, a financial institution cannot prevent a regional power grid or telecommunications collapse. Therefore, resilience planning must move away from attempting to avoid these events and focus instead on graceful degradation. This means designing systems and applications to remain partially functional in a highly degraded state—such as allowing mobile applications to securely queue payments offline, utilizing satellite internet backups for critical nodes, and geographically dispersing key operational staff so that a localized blackout cannot take an entire incident response team offline simultaneously.
4. The Operational Impact of Strict Regulatory Timelines
A critical metric within the report reveals the administrative challenges organizations face: approximately 15% of the financial entities that submitted an initial major incident notification in 2025 failed to deliver their final root-cause analysis report within the required regulatory timeframe.
Under DORA Article 19, financial entities must adhere to a strict, multi-stage notification schedule:
- Initial Notification: Submitted within 4 hours of classifying the incident as major (and no later than 24 hours from becoming aware of it).
- Intermediate Report: Submitted within 72 hours of the initial notification.
- Final Report: Submitted no later than one month after the intermediate report, requiring an exhaustive root-cause analysis.
The fact that nearly one in seven organizations missed the final reporting deadline indicates a significant operational strain. During a major technical disruption, internal engineering teams must prioritize crisis management and service restoration. Managing the concurrent administrative requirement to analyze complex forensics, complete detailed regulatory templates, and coordinate legal reviews within 30 days is testing the capacity of internal risk teams.
As supervisory authorities move past the transitional phase of DORA implementation and introduce automated data validation tools, these reporting delays will likely face stricter regulatory scrutiny. Financial institutions can no longer rely on manual, ad-hoc processes to manage incident compliance. Automating the collection, classification, and reporting of operational disruptions is becoming an essential operational requirement.
Conclusion: Key Actions for Managing Operational Incidents
The data proves that DORA reporting is now an established reality in the EU financial sector. Regulators now have the data to see exactly where operational failures occur across the industry.
As supervision tightens through late 2026, financial institutions should focus on three concrete priorities to align with these findings:
- Invest in IT Basics: Allocate risk budgets to software testing, change-management controls, and infrastructure maintenance to prevent the system failures that cause 51% of major incidents.
- Plan for Graceful Degradation: Accept that regional utility and telecom failures are inevitable. Rather than trying to ensure total uptime of external systems, design your internal applications and crisis protocols to support limited, offline, or alternative operational modes when infrastructure drops offline.
- Automate Reporting Processes: Implement dedicated tools to handle the strict DORA notification timeline, reducing the administrative burden on technical teams during a crisis.
Ultimately, the report shows that operational resilience is not a paperwork exercise. The organizations that manage risk successfully will be those that use this objective data to fix their internal IT governance and protect their core business operations.
Learn more
Read the full report here Opens in a new tab .
