European Supervisory Authorities recently published their first annual overview of major ICT-related incidents in the European Union financial sector, revealing a rising pattern of cross-border disruptions and warning that increasingly advanced artificial intelligence tools may heighten cybersecurity risks across the industry.

The report was issued jointly by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) under the reporting framework established by the Digital Operational Resilience Act (DORA).

The authorities said the findings show that ICT risks are increasingly borderless and interconnected, reflecting the growing reliance of financial institutions on shared digital infrastructure and third-party service providers.

They also warned that the emergence of highly capable AI-driven tools should prompt financial entities to further strengthen their cybersecurity and operational resilience measures.

Under DORA, financial entities are required to follow harmonised rules for the management, classification and reporting of major ICT-related incidents, with the aim of ensuring consistent notification to all relevant competent authorities.

This system is intended to enable a faster and more coordinated response to cross-border ICT disruptions, thereby improving the overall resilience of the European financial system.

According to the report, around one third of the 3,383 major ICT-related incidents reported by financial entities across the EU had a cross-border impact.

The authorities noted that this equates to approximately 0.18 major incidents per entity subject to DORA, highlighting the scale of reporting across the sector.

Despite the cross-border dimension, the report found that the direct impact on clients and financial transactions was generally limited.

It said that system failures and external events were the main drivers of incidents, underlining the importance of strong third-party risk management, effective oversight of outsourced services, and close coordination with external service providers during incident response and recovery.

The authorities also reported that only 10 per cent of incidents were linked to cybersecurity threats.

However, they stressed that financial institutions must continue to adhere to the highest cybersecurity standards, particularly in light of the potential risks associated with the growing use of advanced AI-enabled systems.

The report said these findings demonstrate the increasing systemic nature of ICT risk within the financial sector.

It added that strengthening resilience, supervision and coordination will be essential to improving the sector’s ability to prevent, absorb and recover from future disruptions.

Under Article 22(2) of the Digital Operational Resilience Act (DORA), the European Supervisory Authorities are required to publish an annual report covering at least the number of major ICT-related incidents, their nature, their operational and client impact, the remedial measures taken and the costs incurred.

DORA defines an ICT-related incident as a single event or a series of linked unplanned events that compromise the security of network and information systems, affecting the availability, authenticity, integrity or confidentiality of data or services provided by a financial entity.

A major ICT-related incident is defined as one that has a high adverse impact on the network and information systems supporting critical or important functions of a financial entity.