← All posts

DORA incident report 2026: what 3,383 incidents reveal

The first DORA incident report, explained

On 3 June 2026 the European supervisors published the first ever DORA incident report. It is their annual overview of major ICT incidents across the EU financial sector, and it covers everything reported in 2025.

Until now, every firm only saw its own incidents. Each supervisor saw its own national slice. This report puts all of it in one place for the first time, and it gives the sector its first real benchmark under DORA.

Key takeaways
    • 3,383 major incidents were reported across the EU in 2025
    • Nearly one in three came from an outside provider
    • Two thirds caused little or no harm to customers
    • About 15% were missing a final report by the cutoff
    • A new reporting tool with automatic validation arrives in 2026

What did the first DORA incident report find?

The number in every headline is 3,383. That is how many major incidents financial entities reported during 2025. It works out to roughly 0.18 per entity in scope.

Before anyone panics, the supervisors said plainly that a high count is not proof the sector is weak. More digital services and more links between firms mean some disruption is going to happen. The point of DORA was never zero incidents. It was knowing about them and recovering fast.

Here is the short version of the data.

FindingFigure
Major incidents reported in 20253,383
Average per entity in scope0.18
Incidents that spread across bordersabout one third
Incidents touching more than ten member states8%
Incidents linked to a provider or outside party29%
Incidents caused by system failures51%
Incidents linked to cyber attacksabout 10%
Incidents with no or only minor client impacttwo thirds

A few of these deserve a closer look.

Most incidents did not hurt customers

Two thirds of the major incidents caused no disruption to clients or transactions, or only a minor one. That is the good news, and it is worth saying out loud.

It suggests detection, response and recovery are mostly working. Firms are catching problems and containing them before customers feel the pain. That is exactly what the resilience testing pillar was built to produce.

So the takeaway is not that the sector is on fire. It is that firms are absorbing hits without falling over. Supervisors care more about that than about the raw incident count.

The real story is concentration risk

The finding that should get your attention is this one. Nearly one in three major incidents came from a provider or another outside party.

That matters because of how these failures spread. When one shared provider goes down, it does not cause one incident. It causes the same incident at every firm that relies on that provider, all at once. The supervisors called this a multiplier effect.

Picture a single cloud region having a bad day. Dozens of banks, insurers and payment firms all file major incident reports within the same few hours. Same root cause. None of them in control of it.

This is the concentration risk DORA has pointed at from the start. The report is the first hard evidence of it at EU scale. Expect supervisors to lean on this data when they ask about your provider dependencies and your exit plans.

One more note. The supervisors said their attention will not stop at the providers formally named as critical. If a provider is systemically important to your operations, it is on their radar whether or not it carries the CTPP label.

Cyber was only 10%, but the AI warning is loud

Only about 10% of the major incidents were tied to cyber attacks. System failures and external events drove the majority.

Do not read that as permission to relax. The supervisors used the report to flag something specific. Attackers now have access to far more capable tools driven by AI, and defences need to keep pace. The low cyber share reflects 2025. The warning is about what comes next.

The reporting quality problem no one is talking about

This part got less coverage, and it is the part that should worry compliance teams most.

Roughly 15% of the incidents reported in 2025 were missing a final report by the cutoff. The supervisors had to leave them out of the analysis. They also cleaned up a lot of what did come in, fixing formats, standardising identifiers and translating fields that arrived in other languages.

Read that again. One in seven major incidents did not have a complete reporting trail. Cost and recovery figures were the worst affected.

The supervisors will not tolerate that for long. They have already said a new reporting tool is coming in 2026, with automatic validation checks built in. Once those checks are live, a late or sloppy submission will not slip through. It will bounce back with your name on it.

So the message is simple. A major incident is not closed when service comes back. It is closed when the final report is filed, complete and on time. If your process treats the report as an afterthought, fix that now.

What the DORA incident report means for supervisors

Strip away the numbers and the report carries one clear message. Supervisors accept that incidents will happen. What they are grading is whether you can handle them.

That means three things in practice.

  • Can you keep the impact off your customers when something breaks
  • Can you see and manage the risk sitting inside your providers
  • Can you report cleanly, completely and on time, every time

Read this report as a preview of the questions coming in your next supervisory conversation.

Your checklist for the next few weeks

Turn the report into action. Start here.

  • Pull your 2025 incident log. Check every major incident has a complete final report on file. Fix any that do not.
  • Look at your provider list. Mark the ones that would take several firms down with them. Those are your concentration points.
  • Confirm you have a real, tested exit plan for each critical provider, not a paragraph buried in a contract.
  • Time your own reporting clock. From classification to initial notification, can you actually hit four hours under pressure.
  • Bring the concentration finding to your management body. This is board level evidence now, not a technical footnote.

How DORA GRC helps

Most of the pain in this report comes from two places. Scattered incident records that never quite get finished, and provider risk that no one has mapped end to end.

Both are what a structured platform is built to solve. DORA GRC keeps your incident timeline and evidence in one place, with the ITS reporting templates ready to go, so the final report is done when the clock runs out. The provider register shows which functions depend on which vendors, so concentration is visible before a supervisor points it out.

If you are still running incidents through email and tracking providers in a spreadsheet, the June report is a good reason to stop. Try the free DORA assessment to see where you stand in three minutes.

Frequently asked questions

What is the DORA incident report?

It is the annual overview of major ICT incidents that the European supervisors must publish under Article 22 of DORA. The first edition came out on 3 June 2026 and covers incidents reported across the EU financial sector in 2025.

How many major incidents were reported under DORA in 2025?

Financial entities reported 3,383 major incidents. That is an average of about 0.18 per entity in scope. Around one third had an impact across borders.

What is concentration risk under DORA?

It is the risk that many firms depend on the same small set of ICT providers. When one of those providers fails, it can trigger incidents at many firms at once. The first incident report showed nearly one in three major incidents came from an outside provider.

When must a DORA final incident report be submitted?

The final report is due within one month of the initial notification. The initial notification itself is due within four hours of classifying the incident as major. Missing these deadlines is a reportable breach.

Who published the DORA incident report?

The three European Supervisory Authorities published it jointly. They are the EBA, EIOPA and ESMA, working together through their Joint Committee.

You can read the official announcement here.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →