The outage file is now a market file
DORA’s first report is not an AI rulebook.
The European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority published the first annual overview of major ICT-related incidents under DORA on June 3. Their headline finding is not that financial firms had a bad technology year. It is that the risk is increasingly borderless and interconnected.
That matters because finance has been trying to make cyber resilience auditable without making it purely local. A bank outage in one member state can become a payments problem elsewhere. An insurer’s outsourced service can share infrastructure with other firms.
DORA’s first major-incident overview gives regulators a common file for that problem. It asks banks, insurers, exchanges, payment firms and other financial entities to classify and report major ICT incidents in a harmonised way. The useful question is whether they can classify, notify and coordinate fast enough when attacks become cheaper to scale.
DORA is standardising the first hour
DORA defines an ICT-related incident as an unplanned event, or linked events, that compromises network and information-system security and affects data or services. A major ICT-related incident is one with a high adverse impact on systems supporting critical or important functions. The EU regulation itself puts that inside a wider operational-resilience regime for financial entities.
The ESAs’ June 3 report sits on top of that regime. The authorities say DORA introduces consistent requirements for the management, classification and reporting of ICT-related incidents, with the objective of harmonising and streamlining the reporting regime. The mechanism is meant to ensure major incidents are notified to all competent authorities involved, so authorities can respond faster when incidents cross borders.
Classification is not clerical when the same event can involve a cloud provider, an outsourced technology service, a payments dependency and a national supervisor. The first hour decides which authorities hear about it, what they think it is, and whether connected firms realise they may be looking at the same failure.
The numbers in the first report make that coordination problem visible. The ESAs say financial entities reported 3,383 major incidents, equal to 0.18 per entity subject to DORA. Around one third had cross-border impact. Direct impact on clients and transactions was generally limited. System failures and external events were the main drivers.
That combination is uncomfortable. The customer impact can look contained while the operational dependency is already shared. That is a trap for anyone who still treats resilience as an internal incident-management KPI.
AI belongs in the attacker economics, not the legal label
The AI line in the report should be read carefully. The ESAs do not recast DORA as AI regulation. They say only 10% of the reported incidents were related to cybersecurity, while warning that financial entities should maintain high cybersecurity standards to keep pace with the potential use of highly capable AI-driven tools.
That is the right framing. AI changes attacker economics before it changes regulatory taxonomy. It can lower the cost of phishing, reconnaissance, malware variation, vulnerability triage and social engineering. A reporting regime built for slow, local incident escalation will be late even if every box is eventually ticked.
So the supervisory question is not “AI incident” versus “non-AI incident.” It is whether a firm can recognise a scalable cyber campaign early enough to report it as a major ICT incident, route it to the right authorities, and coordinate with third-party providers before the same pattern appears in peer institutions.
That is why the cross-border finding matters more than the 10% cybersecurity figure. A low cyber share does not make cyber peripheral. It means cyber incidents are a smaller slice of the first reporting set, but the subset can move faster and spread more cheaply as AI-driven tooling improves.
Third-party risk is the pressure point
The report’s emphasis on system failures, external events and outsourced services points to the real DORA test. Financial firms have spent years moving critical functions into common vendors, cloud stacks and managed service providers. That can improve resilience and concentrate failure modes.
DORA tries to make that concentration supervisable. The major-incident mechanism gives authorities a way to compare reports across firms and jurisdictions. If several entities report similar disruption tied to a shared provider, the evidence should converge faster than it would under scattered national practices.
But that only works if firms classify consistently. A payments firm cannot treat provider degradation as a narrow service ticket while a bank treats the same provider event as a major ICT incident. An insurer cannot wait for final root-cause certainty if the operational impact is already crossing borders.
The implication for boards is that DORA reporting is now part of cyber readiness. A firm that cannot map providers, identify critical functions, test incident thresholds and brief supervisors quickly does not merely have a paperwork gap. It has a resilience gap.
The market read
For investors and operators, the first DORA report says European financial regulation is moving cyber evidence upstream. The interesting part is not a new penalty threat. It is the data model being built around incidents.
Once authorities receive comparable reports, they can see concentration, repeat providers, weak classifications and slow notification patterns. Operational resilience starts to look less like a policy attestation and more like a recurring supervisory dataset.
AI raises the stakes because it pushes the attack side toward scale. DORA pushes the defence side toward shared evidence. The firms that benefit will not be the ones with the neatest incident decks after the fact. They will be the ones that can turn a messy technical signal into a defensible cross-border report while the incident is still moving.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.