Over 3,300 IT incidents at European financial firms in 2025

European financial entities recorded a significant number of major IT incidents last year, with 3,383 events logged in 2025. This figure, published for the first time by a consortium of European supervisors including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), stems from the implementation of the Digital Operational Resilience Act (Dora).

The Dora regulation, which came into effect last year, mandates reporting for such incidents. The report indicates that approximately one-third of these major incidents had repercussions across multiple countries, highlighting the interconnected nature of the European financial system. Incidents impacting credit and payment activities were particularly affected.

Despite the high number, the supervisors caution against interpreting it as a sign of systemic weakness. Instead, they attribute it to the increasing complexity, scale, and interconnections of digital tools within the financial sector, suggesting that operational incidents are, to some extent, unavoidable. These events can be triggered by various factors, including internal system malfunctions, human error, external events like power outages, or cyberattacks.

However, the report also commends the financial institutions' capacity to "identify, manage, and contain major incidents quickly." The Dora framework aims to elevate operational resilience through common standards, stress tests, and clear incident management protocols, thereby limiting contagion risks. Encouragingly, two-thirds of the reported major incidents resulted in no or only minor disruptions for customers and transactions, demonstrating the effectiveness of existing resilience measures.