Luxembourg Financial Regulatory News:

This 2025 Joint-ESA Report provides an anonymized and aggregated overview of major information and communication technology (ICT) incidents within the European financial sector. Published in June 2026 under the Digital Operational Resilience Act (DORA), the document analyzes 3,383 significant events reported by entities such as banks, insurers, and payment providers. The findings reveal that while the credit and payment sectors experienced the highest frequency of issues, most incidents resulted from system failures or third-party service disruptions rather than successful cyberattacks. Despite a growing number of cross-border impacts due to increased digital interconnectedness, the report highlights that robust containment measures successfully limited the damage to clients and financial transactions. Ultimately, the authorities use this data to enhance supervisory convergence and strengthen the overall technological stability of the EU financial system.

Summary of 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

This briefing synthesizes the findings of the 2025 Joint-ESA report regarding major Information and Communication Technology (ICT) incidents within the European Union, as mandated by Article 22(2) of the Digital Operational Resilience Act (DORA). In 2025, financial entities (FEs) reported a total of 3,383 major incidents, averaging 0.18 incidents per entity. The data reveals that while ICT risks are increasingly borderless—with approximately one-third of incidents having cross-border impacts—the financial sector demonstrated significant resilience. Two-thirds of major incidents resulted in minor or no disruption to clients and transactions, suggesting that timely detection and containment measures were largely effective.

The report identifies system failures and external events as the primary drivers of disruption. Notably, nearly 30% of incidents originated from failures at third-party service providers (TPPs), emphasizing the critical nature of outsourced services and the deep interconnectedness of the modern financial system. Although cybersecurity incidents accounted for only 10% of reports, the persistent threat of sophisticated, AI-driven attacks necessitates the maintenance of high security standards.

Sector	Total Incidents	Predominant Incident Type	Primary Root Cause	Most Frequent Cyber Threat
Total (All Sectors)	3,383	System failure (51%)	System failure/malfunction (50%)	DDoS (33%)
Credit	~2,030	System failure	System failure/malfunction	DDoS
Payments	~541	System failure	System failure/malfunction	Data exfiltration and identity theft
Market Transparency Infrastructure (MTI)	~275	System failure	System failure/malfunction	Not in source
Insurance	~210	System failure	System failure/malfunction	Ransomware
Markets and intermediaries (M&I)	~130	System failure	System failure/malfunction	Not in source
Market infrastructures and post-trade (MI&PT)	~100	System failure	System failure/malfunction	Not in source
Asset management (AM)	~100	System failure	System failure/malfunction	Not in source
Crypto	~60	System failure	System failure/malfunction	Not in source

1. Regulatory Framework and Reporting Mandate under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

The Digital Operational Resilience Act (DORA) provides a harmonized framework for reporting and analyzing ICT risks across the EU. This analysis is produced by the Joint Committee of the European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

Key Definitions

• ICT-related Incident: An unplanned event compromising the security of network and information systems, adversely impacting data availability, authenticity, integrity, or confidentiality.
• Major ICT-related Incident: An incident with a high adverse impact on systems supporting critical or important functions of a financial entity.

Notification Timeline

Financial entities must adhere to a three-stage reporting process:

1. Initial Notification: Within 4 hours of classification (no later than 24 hours after awareness).
2. Intermediate Report: Within 72 hours of the initial notification.
3. Final Report: No later than one month after the root cause analysis is completed.

2. Quantitative Overview of 2025 Incidents under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

The reporting period saw a monthly average of 282 major incidents. Notable spikes occurred in February, April, and May due to specific cross-border and cross-sectoral events.

Sectoral Distribution

The concentration of incidents was highest in the credit and payments sectors, reflecting their highly digital, customer-facing nature and pre-existing reporting requirements under PSD2.

Sector	Share of Total Incidents	Incidents per Entity (Avg)
Credit	> 60%	0.57
Payments	16%	0.23
Other Sectors	< 24%	Variable

Note: The high volume in the credit sector is partially attributed to “multiplier effects,” where a single third-party failure affects dozens of smaller entities within the same group using shared infrastructure.

Classification Criteria

Incidents are classified as “major” based on specific materiality thresholds. In 2025, the primary triggers were:

• Service Downtime and Duration: The most frequent trigger for reporting.
• Non-Monetary Impact: Significant numbers of clients, transactions, or financial counterparts affected.
• Reputational Impact (16% of incidents): Situations involving media coverage, repetitive complaints, or potential loss of customers and regulatory non-compliance.

3. Nature and Origin of Incidents under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

The report identifies a hierarchy of incident types and causes, highlighting structural vulnerabilities in digital infrastructure.

Incident Types and Root Causes

• System Failures (51%): The most prevalent type, driven by the complexity of digital architectures and software issues.
• External Events (27%): Frequently linked to disruptions in third-party infrastructure.
• Payment-related (18%): Concentrated in the credit and payment sectors.
• Cybersecurity (10%): Primarily concentrated in the credit sector, featuring Distributed Denial of Service (DDoS) attacks (33%) and data exfiltration/manipulation (31%).

Third-Party Dependency

The role of ICT Third-Party Providers (TPPs) is a critical systemic factor. Approximately 29% of all major incidents were attributable to failures in third-party services. This highlight the necessity for robust third-party risk management and oversight, as disruptions at a single provider can propagate rapidly across the financial ecosystem.

4. Impact Analysis under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

Despite the high frequency of incidents, the actual harm to the broader financial system was generally contained.

Geographic and Systemic Spread

• Domestic Impact: 69% of incidents were contained within a single Member State.
• Cross-Border Impact: 31% extended beyond the reporting country.
• Systemic Reach: 8% of all incidents affected more than 10 Member States, illustrating the “borderless” nature of ICT risk in an interconnected market.

Client and Transactional Disruption

Impact on end-users remained limited in the majority of cases:

• Clients: Nearly 60% of incidents resulted in minor or no impact (fewer than 1,000 clients affected). Only a small fraction affected more than 1 million clients.
• Transactions: Two-thirds of incidents affected either no transactions (32%) or fewer than 1,000 transactions (26%).
• Financial Counterparts: Less than 18% of incidents had any impact on other financial counterparts.

Financial Costs

The monetary impact reported by FEs was surprisingly low. Roughly 50% of entities reported either no direct/indirect costs (40%) or negligible costs under EUR 1,000 (10%). Only 3% of incidents involved any financial recoveries.

5. Deep Dive: Major 2025 Events under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

Two significant events illustrate the systemic risks associated with hardware failures and infrastructure dependencies.

The TARGET2 Incident (February 2025)

• Cause: A rare hardware malfunction in a core storage system component.
• Duration: T2 and T2S were unavailable for 10 and 8 hours, respectively.
• Impact: Suspension of securities settlement, payments, and liquidity transfers; significant delays in salary and pension payments in certain communities.

The Iberian Peninsula Blackout (April 2025)

• Cause: A total blackout of the Spanish electrical grid, also affecting Portugal.
• Duration: Approximately 10 hours.
• Impact: While bank data centers used backup generators, operations dropped due to telecommunications failures. Clients could not access mobile banking or use point-of-sale terminals, preventing day-to-day purchases.

6. Conclusions and Future Outlook under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

The 2025 reporting cycle confirms that while the financial sector possesses strong containment capabilities, ICT risks are becoming more systemic and cross-sectoral.

Core Findings:

• Interconnectedness: Shared infrastructures and TPPs are the primary vectors for systemic propagation.
• Stability vs. Risk: The low frequency of major cybersecurity incidents suggests effective safeguards are in place, but FEs must remain vigilant against AI-driven threats.
• Reporting Divergence: Variations in reporting practices persist as DORA implementation is in its early stages.

ESA Forward Strategy (2026): The ESAs intend to introduce a new IT tool for incident reporting in 2026 to enhance data quality through automated validation. Efforts will shift toward monitoring “open” incidents and supporting Competent Authorities in following up on overdue cases to ensure full compliance with DORA requirements.

This news related to under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA in Luxembourg can be considered beneficial under CSSF-Circulars, Central Securities Depositories (CSDs) News, Credit Institutions News, Crowdfunding service providers (CSPs) News, Crypto-Assets Service Providers (CASPs) and Virtual Asset Service Providers (VASPs) News, Data Reporting Service Providers (DRSPs) News, EU Regulations, Explanation, IFMs (AIFMs, ManCos) News, Investment Firms News, Issuers of Tokens (EMTs, ARTs) News, Multimedia, Must Read, Opinion, Payment Institutions (PIs) / Electronic Money Institutions (EMIs) /AISPs News, Pension funds News, PFS/PSF News, Undertakings for collective investment (UCIs).

At https://Ratiofy.Lu/, we defend your hard-earned money with our free daily news platform and expert-vetted templates. Need more help? Request access to our hands-on expert Advisory, Training and Coaching Services (very limited availability) related to CSSF Circulars and EU Regulations.

The pre-filled example templates for many CSSF Circulars should be available at https://ratiofy.lu/templates/ from the summer of 2026.

The Resilience Mirage: Why 3,300+ Incidents Haven’t Broken Europe’s Banks (Yet)

The stability of our financial systems is often a background noise we only notice when it stops—a failed card payment at a grocery store or an unresponsive mobile banking app. But beneath the surface of these occasional inconveniences lies a complex digital infrastructure under constant duress. How stable is the bedrock of the European economy?

The newly released ESAs 2025 report on major ICT-related incidents provides the first authoritative post-mortem of a year governed by the Digital Operational Resilience Act (DORA). This report dissects “major incidents”—defined under DORA as ICT disruptions with a high adverse impact on the network and information systems supporting the critical or important functions of financial entities. The data reveals a system that is simultaneously under unceasing pressure and remarkably adept at agile recovery.

1. Resilience is Higher Than You Think: The Shift to Agile Recovery under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

On the surface, the headline figures appear staggering: in 2025, European financial entities reported 3,383 major incidents, averaging 0.18 per entity. However, a senior analysis suggests these numbers are not a signal of structural decay, but rather evidence of a high-functioning “digital immune system.”

Despite the volume, the impact was notably contained. Two-thirds of major incidents resulted in zero or minor disruption to clients and transactions. This suggests the industry is successfully transitioning from a philosophy of hard perimeter defense (preventing all entries) to one of agile recovery capabilities (identifying and neutralizing failures before they scale).

“The resilience of the financial sector is demonstrated by the ability shown by financial entities to promptly identify, manage and contain major incidents.”

2. The Credit and Payments Sector: A Digital Lightning Rod under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

The report highlights a massive concentration of activity, with over 60% of incidents occurring in the credit sector and 16% in the payments sector. To the uninitiated, this looks like a weakness; to a policy analyst, it reflects “reporting maturity.”

These sectors have been subject to the Revised Payment Services Directive (PSD2) since 2018, meaning their reporting frameworks were far more sophisticated than other sectors when DORA arrived. Furthermore, we must account for the “multiplier effect”: because many smaller banks within a group share a single ICT hub, one failure at a central service provider can trigger dozens of individual reports. This isn’t necessarily a sign of systemic fragility, but a reflection of a highly digitalized, customer-facing market structure.

3. The Great Cyber Paradox: Systems vs. Hackers under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

There is a profound disconnect between public fears and operational reality. While headlines focus on catastrophic “hacker” attacks, the data reveals a “Cyber Paradox”: System Failures accounted for 51% of major incidents, while Cybersecurity-related events comprised only 10%.

The primary cyber threats remain Distributed Denial of Service (DDoS) (33%) and data exfiltration (31%), particularly targeting the credit sector due to the high liquidity of the data involved. The low percentage of successful cyber-breaches suggests that existing safeguards are currently winning the arms race against external actors, leaving our own complex, legacy software as our greatest vulnerability.

“The relatively low number of major incidents categorised as cybersecurity-related seems to suggest that existing safeguards and detection mechanisms were generally effective in limiting the occurrence of such incidents.”

4. Borderless Risk: When an Iberian Blackout Becomes a Banking Crisis under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

In the DORA era, ICT risk ignores national borders. One-third of all 2025 incidents had cross-border impacts, illustrating the deep interconnectedness of the European financial grid. Two events from the 2025 data set illustrate this fragility:

• The TARGET2 Incident (February 2025): A rare hardware malfunction in a core storage component caused a 10-hour outage for T2 and an 8-hour outage for T2S (TARGET2-Securities). It even caused a partial disruption in TIPS (TARGET Instant Payment Settlement), suspending high-value payments and securities settlements across the Eurosystem.
• The Iberian Peninsula Blackout (April 2025): A 10-hour energy grid failure in Spain and Portugal. While bank data centers remained online via backup power, operational continuity was compromised because telecommunication providers and branches lost connectivity. Crucially, point-of-sale (POS) terminals ran out of battery or lost signal, halting day-to-day retail commerce.

5. The Third-Party Trap under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

A financial entity’s resilience is only as robust as its outsourced infrastructure. The report reveals that 29% of major incidents originated from failures at third-party service providers (ICT TPPs). When bridged with the fact that “External Events” caused 32% of all incidents, the picture becomes clear: “External” is almost synonymous with “Third-Party.” This underscores the strategic necessity of the oversight frameworks mandated by DORA; even the most secure bank can be brought down by a failing cloud provider or a shared communication line.

6. The “Zero-Cost” Mystery: A Compliance Blind Spot under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

One of the most concerning findings is that 50% of major incidents were reported to have “negligible monetary impact” or zero costs. This is almost certainly a data integrity risk.

Per the ESAs’ guidelines, the working time of staff dedicated to incident handling must be counted as a cost. The high volume of “zero-cost” reports suggests that entities are failing to accurately track and report internal resource allocation. We should expect the ESAs to treat this as a major “compliance blind spot” in 2026, pushing for more rigorous internal accounting.

7. Conclusion: Beyond the Numbers under 2025 Report on major ICT-related incidents published under Joint-ESA report under Article 22 of DORA

The 2025 data marks a definitive shift in the European mindset: we have moved from the impossible goal of preventing all incidents to the pragmatic necessity of surviving the unavoidable.

As we look toward 2026, the introduction of harmonized IT tools for reporting will likely strip away the remaining “reporting shadows.” However, the ultimate question remains: can the financial sector maintain this agile resilience as the landscape evolves? The real test will be the looming battle between AI-driven sophisticated threat actors and AI-driven defensive monitoring. In the digital arms race, the only constant is the need for persistent vigilance.