ESAs publish first report on DORA major ICT-related incidents

The European Supervisory Authorities (EBA, EIOPA, and ESMA) published their first annual overview of major ICT-related incidents in the EU financial sector, based on the reporting mechanism established by the Digital Operational Resilience Act (DORA).

The report shows that ICT risks are increasingly borderless and interconnected. It emphasizes that the evolution of AI-driven tools should encourage financial entities to enhance cybersecurity measures to maintain resilience.

DORA aims to harmonize and streamline the reporting of major ICT-related incidents by establishing consistent requirements for management, classification, and reporting. Proper notification of incidents to all relevant authorities enables faster and coordinated responses, strengthening the resilience of the European financial system.

The report indicates that approximately one-third of the 3,383 major incidents reported involved cross-border impacts, highlighting the growing interconnectedness through shared infrastructure and services. The impact on clients and transactions was generally limited. System failures and external events were primary causes, underscoring the importance of third-party risk management and effective oversight of outsourced services.

Only 10% of incidents were related to cybersecurity, but maintaining high cybersecurity standards remains crucial, especially with the advancement of AI tools. These findings reflect the increasing systemic nature of ICT risks and the need for ongoing supervision to enhance sector resilience.

Legal basis: Article 22(2) of DORA requires ESAs to report annually on major ICT-related incidents, including incident numbers, nature, impact, remedial actions, and costs.

Definition: An ICT-related incident is an unplanned event or series of events that compromise network security and adversely affect data or services. A major ICT incident significantly impacts critical functions of a financial entity.