DORA One Year Later: What the First Major Incident Report Reveals About Financial Sector Resilience

When the Digital Operational Resilience Act (DORA) became fully applicable in January 2025, financial institutions across Europe faced a new reality.

Banks, brokers, payment providers, crypto firms, and technology vendors were suddenly required to report major ICT incidents under a unified framework, conduct resilience testing, strengthen third-party oversight, and improve incident response capabilities.

In our previous guide, we explored what DORA is, who it applies to, and how firms could prepare for compliance.

Now, the European Supervisory Authorities (EBA, ESMA, and EIOPA) have published the first annual report on major ICT-related incidents under DORA, providing an unprecedented look at how resilient the financial sector really is after its first year of implementation. The findings reveal several surprising trends.

At first glance, the number may sound alarming. During 2025, financial institutions reported 3,383 major ICT-related incidents across the European Union. However, regulators stress that incident volume alone should not be interpreted as a sign of weakness.

In highly digitalised financial markets, operational incidents are inevitable. What matters is how quickly firms detect, contain and recover from them. And this is where the report becomes encouraging.

Perhaps the most important conclusion from the report is that most incidents caused relatively limited disruption to customers and counterparties.

According to the ESAs:

• Almost 60% of incidents affected fewer than 1,000 clients or had no client impact at all
• Two-thirds of incidents affected fewer than 1,000 transactions or no transactions whatsoever
• Less than 18% had any impact on financial counterparties

This suggests that firms are becoming increasingly effective at detecting and containing problems before they escalate. For trading firms, this is particularly significant.

A platform outage, market data interruption, or connectivity issue can rapidly affect thousands of traders. Yet the data indicates that containment measures, failover systems, and operational response frameworks are often preventing wider disruption. In many respects, this is exactly the outcome DORA was designed to achieve.

Cybersecurity often dominates headlines. However, the report tells a different story.

More than half of all major incidents were caused by system failures or malfunctions. Another 27% were linked to external events, while only around 10% were classified as cybersecurity-related incidents.

Similarly, the root-cause analysis found:

• 50% were linked to system failures
• 32% were linked to external events
• 19% were linked to process failures
• 12% were linked to human error

For brokers and trading venues, this reinforces an important lesson: operational resilience extends far beyond cybersecurity. A software malfunction, infrastructure outage, or failed system upgrade may cause greater disruption than a cyberattack. This is precisely why DORA focuses not only on cyber defence, but also on resilience, testing, governance, and recovery capabilities.

One of the strongest messages from the report concerns third-party dependency. Nearly 29% of all major incidents originated from failures at third-party providers.

This finding validates one of DORA’s most debated requirements: enhanced oversight of vendors and ICT service providers.

Financial institutions increasingly rely on:

• Cloud providers
• Hosting infrastructure
• Connectivity providers
• Payment processors
• Trading technology vendors
• Market data suppliers

As a result, a single outage can affect dozens or even hundreds of institutions simultaneously.

Financial services have become increasingly interconnected across Europe.

The report shows that:

• 31% of all major incidents had a cross-border impact.
• More than 1,000 incidents affected multiple countries.
• Around 8% impacted more than 10 countries.

This finding is particularly relevant for multi-jurisdiction brokers, cross-border payment providers, crypto exchanges, and trading infrastructure providers, all of which operate across interconnected markets and depend heavily on shared technology and service providers.

A disruption originating in one market can quickly spread through shared technology platforms and vendor ecosystems. This interconnectedness helps explain why regulators opted for a harmonised framework rather than a patchwork of national reporting standards.

Although cybersecurity incidents accounted for only around 10% of all major incidents, they remain a significant concern.

Among reported cyber incidents:

• DDoS attacks accounted for 33%.
• Data theft, data manipulation, and identity theft accounted for 31%.
• Social engineering, ransomware, and supply-chain attacks accounted for the remainder.

Interestingly, regulators conclude that the relatively low number of cybersecurity incidents may indicate that existing security controls are generally effective. However, this does not mean firms can afford to relax. The report specifically notes that institutions must continue strengthening their cybersecurity capabilities as attackers increasingly adopt AI-driven tools and automation.

The first year of DORA reporting demonstrates one thing clearly: the biggest risks facing financial institutions are not necessarily the high-profile cyberattacks that dominate headlines.

More often, disruptions stem from:

• Software failures
• Infrastructure outages
• Vendor dependencies
• Process weaknesses
• Operational complexity

For brokers, trading venues, crypto exchanges, and payment firms, operational resilience is increasingly becoming a competitive differentiator.

Firms that invest in real-time monitoring, automated incident response, robust disaster recovery capabilities, effective third-party oversight, and regular resilience testing are likely to be better positioned to maintain client trust, minimise disruption, and meet increasingly demanding regulatory expectations.

When DORA was introduced, many firms viewed it primarily as another regulatory burden. The first annual incident report tells a different story.

The evidence suggests that while major ICT incidents remain common, most are being contained before they escalate into systemic events. Financial institutions are detecting disruptions more quickly, responding more effectively, and limiting the impact on customers and counterparties.

For the trading industry, that may be the most important finding of all. DORA was never about eliminating incidents. It was about ensuring that firms remain resilient enough to continue operating when incidents occur.

The first year of data suggests that the industry is moving in the right direction.