• European regulators recorded 3,383 major ICT incidents across the financial sector during 2025
• Around one-third of incidents had a cross-border impact, highlighting growing interconnectedness
• System failures accounted for more than half of all reported incidents
• Cybersecurity incidents represented 10% of total events but remain a significant supervisory concern
• Regulators warned that highly capable AI-driven tools could intensify cyber threats
• Nearly one-third of incidents originated from failures involving third-party providers
• Major disruptions included the TARGET Services outage and the Iberian Peninsula blackout
• Supervisors are calling for stronger cyber resilience, governance, and third-party risk management

Europe's financial watchdogs have warned that artificial intelligence could amplify cyber threats facing banks, insurers, and investment firms as new data reveals the scale of technology-related disruptions across the financial sector.

The European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority this week published their first annual review of major ICT-related incidents under the Digital Operational Resilience Act (DORA), painting a picture of an increasingly interconnected and borderless risk landscape.

According to the report, financial institutions across the European Union reported 3,383 major ICT-related incidents during 2025, equivalent to an average of 0.18 major incidents per financial entity covered by DORA.

The overwhelming majority occurred within the banking and payments sectors, reflecting their highly digital and customer-facing nature.

While the number appears substantial, regulators stressed that incident volumes alone should not be viewed as evidence of systemic weakness.

Instead, they argued that resilience should be judged by the sector's ability to identify, contain, and recover from disruptions before they escalate into wider crises.

The report found that two-thirds of major incidents resulted in little or no disruption to customers or transactions, suggesting that detection and response mechanisms were generally effective.

Nevertheless, the report identifies a growing systemic challenge. Around one-third of all major incidents had a cross-border impact, affecting institutions and customers beyond the country where the incident originated.

In roughly 8% of cases, more than 10 countries were affected, underlining how shared infrastructure, common service providers, and interconnected business models can allow disruptions to spread rapidly across jurisdictions.

System failures emerged as the most common source of disruption, accounting for more than half of all reported incidents.

External events represented 27%, while payment-related incidents made up 18%. Cybersecurity incidents represented only 10% of reported events, a figure regulators said may indicate that existing safeguards and detection measures are proving effective.

However, the supervisory authorities cautioned against complacency. In the accompanying press release, they noted that "the recent evolution of highly capable AI-driven tools should encourage financial entities to strengthen cybersecurity measures to maintain their resilience going forward."

The report's analysis of cyber incidents revealed that distributed denial-of-service attacks accounted for 33% of reported cyber events, while data exfiltration, manipulation, and identity theft represented 31%.

Credit institutions experienced a disproportionate share of these attacks, reflecting both their scale and the sensitive information they hold.

Perhaps the most significant finding for risk managers concerns third-party dependency. Nearly one-third of all major incidents originated from failures involving third-party providers, including ICT service providers, infrastructure operators, and other financial entities.

Regulators said this highlights the need for stronger oversight of outsourced services and more robust third-party risk management frameworks.

The report identified several events that exposed the sector's interconnected vulnerabilities. A major outage affecting TARGET Services in February 2025 disrupted securities settlement, payments processing, and liquidity transfers across multiple markets for several hours.

Two months later, a widespread blackout across Spain and Portugal impaired banking operations, branches, communications networks, and payment services throughout the Iberian Peninsula.

The supervisory authorities concluded that ICT risks are becoming increasingly systemic, driven by shared infrastructure, outsourced services, and cross-border operating models.

They warned that system failures and external events remain the dominant drivers of major incidents and emphasized the need for stronger governance, testing, resilience planning, and oversight of critical technology providers.