ESAs release first DORA report on major ICT incidents in finance

The European Supervisory Authorities (EBA, EIOPA, and ESMA) published their first annual overview of major ICT-related incidents in the EU financial sector. This report is based on a reporting mechanism established by the Digital Operational Resilience Act (DORA). It highlights that ICT risks are increasingly borderless and interconnected. Authorities also note that the recent evolution of highly capable AI-driven tools should encourage financial entities to strengthen cybersecurity measures. This is crucial to maintain their resilience going forward in an evolving digital landscape. DORA aims to harmonise and streamline the reporting regime for major ICT-related incidents. It introduces consistent requirements for financial entities regarding the management, classification, and reporting of such incidents. This ensures a standardized approach across the EU financial sector. Proper notification of major ICT-related incidents to all Competent Authorities involved enables a faster and more coordinated response. This mechanism is vital for addressing borderless and interconnected incidents, ultimately enhancing the resilience of the European financial system. The report reveals that approximately one-third of the 3,383 major incidents reported by EU financial entities had a cross-border impact. This highlights growing interconnectedness via shared infrastructures and services. The direct impact on clients and transactions, however, was generally limited. System failures and external events were identified as the primary drivers. This underscores the need for robust third-party risk management and effective oversight of outsourced services. Close coordination with service providers during incident response is also crucial. Although only 10% of reported incidents were cybersecurity-related, financial entities must maintain the highest cybersecurity standards. This is essential to keep pace with the potential use of highly capable AI-driven tools and evolving threats. These findings illustrate the growing systemic dimension of ICT risk as well as the importance of resilience and supervision in strengthening the financial sector’s ability to prevent, absorb and recover from future incidents. Article 22(2) of DORA mandates ESAs to report yearly on major ICT-related incidents. This report must detail: the number and nature of incidents, their impact on financial entities or clients, remedial actions taken, and costs incurred. Under DORA, an ICT-related incident is an unplanned event or series of events. It compromises network and information system security, adversely impacting data availability, authenticity, integrity, or confidentiality. It can also affect services provided by the financial entity. A major ICT-related incident is defined as an ICT-incident with a high adverse impact. This impact affects network and information systems supporting critical or important functions of a financial entity, requiring significant attention.