Of the 3,383 incidents recorded in 2025, cybersecurity accounted for only 10%
European financial institutions recorded 3,383 major incidents related to their information systems last year. Few of these were cybersecurity incidents. However, it will be necessary to strengthen risk management related to third parties, with a particular focus on outsourced services.
3,383. That is the number of major incidents related to information systems recorded last year by European financial institutions, according to a new report published by the European supervisory authorities EBA, EIOPA, and ESMA on the impact of DORA (Digital Operational Resilience Act).
The report—the first of its kind—reveals that IT-related risks are increasingly cross-border and interconnected. The authorities also emphasize that the recent development of high-performance AI tools should prompt financial institutions to strengthen their cybersecurity measures in order to maintain their resilience.
The total of 3,383 major incidents equates to 0.18 incidents per regulated entity, or an average of 282 per month. The authorities caution that this volume does not reflect a structural weakness. The sector’s increasing digitization, complexity, and interconnectivity make operational incidents partly inevitable, and resilience is measured by the ability to detect and contain incidents, not by the raw number.
System failures and external events were the main factors, highlighting the need for robust third-party risk management, effective oversight of outsourced services, and close coordination with service providers during incident response and resolution.
Less than 10% of incidents are related to cybersecurity
In the vast majority of cases, the impact on clients is nonexistent or minor. Nearly 60% of incidents affect fewer than 1,000 clients; two-thirds resulted in no disruption to transactions or only limited disruption. Only one in 100 incidents affected more than one million transactions. And fewer than 18% affected other financial counterparties. Rapid detection and containment measures generally succeeded in limiting operational damage and ripple effects, even in an environment characterized by strong interdependencies.
Only 10% of reported incidents are related to cybersecurity. System failures account for 51%, external events for 27%, and payment-related incidents for 18%. At their root, half of the incidents stemmed from a system failure or malfunction, ahead of external events and process failures. Authorities interpret the low frequency of cyber incidents as a sign that the protection and detection measures in place effectively limit the occurrence of such incidents.
Third Parties in the Spotlight
Nearly one-third of major incidents stem from a failure attributable to a third party, whether an IT service provider, another financial institution, or an infrastructure provider.
The report identifies this as a key prudential concern and emphasizes the need to strengthen third-party risk management, oversight of outsourced services, and coordination with service providers during response and remediation. Dependence on service providers—even those not designated as critical—is an area requiring vigilance.
This concentration of risk among third parties also explains its systemic nature. One-third of the 3,383 incidents had a cross-border impact, and nearly 8% affected more than ten countries.
For an IT director or CFO in the sector, the investment priority is shifting from merely defending against attacks to system resilience, change governance, and contractual control over service providers. The report explicitly recommends enhanced oversight of outsourced services and close coordination with suppliers when responding to incidents, which requires revised service level agreements and up-to-date mapping of dependencies.
