The three European Supervisory Authorities on June 3, 2026 released the inaugural DORA ICT incidents report — the first annual benchmark of operational resilience failures across EU financial markets under the Digital Operational Resilience Act. The data covers 3,383 major ICT-related incidents reported by EU financial entities during 2025, representing 0.18 major incidents per DORA-regulated entity, with approximately one-third carrying a documented cross-border impact. For European insurers still calibrating their DORA compliance posture, this is the first public signal from supervisors about what a “normal” operational risk year looks like — and what will trigger escalation in the 2026 cycle.
The ICT Incident Baseline — and Why Insurance’s Proportional Share Matters
The sector distribution in the ESA joint report (JC 2026 16) contextualises European insurers’ supervisory exposure directly. More than 60% of all 2025 major ICT incidents occurred in the credit sector, with a per-entity average of 0.57, and a further 16% affected the payments sector, leaving insurance as a proportionally smaller share, but subject to identical reporting obligations and supervisory escalation thresholds. The credit sector average of 0.57 incidents per entity was more than three times the cross-sector mean of 0.18, establishing a structural reference that national competent authorities will use to flag outlier entities in the 2026 cycle.
More consequentially for insurance groups, around one-third of the 3,383 incidents had a documented cross-border impact — transforming what might appear to be a local IT outage into a group-level board issue for any multi-jurisdiction insurer. The EIOPA press release confirms that ICT risks are increasingly borderless and interconnected. A shared pricing engine or policy-administration platform serving entities across multiple EEA jurisdictions generates simultaneous notification obligations to multiple home-state regulators — a scenario most insurance group governance frameworks have not yet stress-tested end-to-end.
Why System Failures — Not Hackers — Drive Most Major DORA Incidents
The most structurally significant finding is counterintuitive: only 10% of reported major ICT incidents were cybersecurity-related. System failures and external events were the main drivers across all sectors throughout 2025. This challenges the prevailing narrative in insurance risk management investment. European insurers have directed substantial resources into cybersecurity frameworks, AI governance, and threat intelligence — all valuable, but not addressing the actual source of most major DORA incidents. The acute operational risk in the 2025 data lies upstream: vendor outages, hardware obsolescence, and external disruptions at outsourced core systems.
EIOPA’s dual role as co-author of the joint annual report and lead overseer of the 19 critical ICT third-party providers (CTPPs) designated on November 18, 2025 means it can cross-reference incident data against CTPP oversight findings in ways national supervisors cannot. Insurers whose cloud and platform vendors sit within the CTPP designation list should treat this report as a board-level prompt to review Article 30 contractual obligations, resilience requirements, and exit strategies — not just internal incident classification playbooks. As Beazley has flagged, supply-chain and third-party vendor exposure is increasingly the market’s most systemically acute concern — now confirmed by regulators’ own incident data. The ESMA parallel press release explicitly names this as a structural EU financial market vulnerability.
EIOPA’s AI Warning and the Four-Hour Notification Clock
Despite system failures dominating the 2025 landscape, the ESAs frame AI-augmented cyber risk as an accelerating forward threat: the report states that financial entities should uphold the highest cybersecurity standards to keep pace with the potential use of highly capable AI-driven tools. This forward-looking language — set against a 2025 baseline where only 10% of incidents were cyber in origin — anticipates adversarial AI shifting the 2026 distribution materially.
DORA’s notification cascade — initial notification within 4 hours of classification, an intermediate report within 72 hours, and a final report within one month — is now a live obligation. Insurance operations, which typically lack the 24/7 IT incident command structures of banking, face a disproportionate challenge in the four-hour classification window. Insurers that have not run live tabletop exercises against DORA classification criteria should treat the June 2026 baseline as their planning anchor. EIOPA’s concurrent August 2026 AI Act compliance deadline compounds the burden for mid-sized carriers simultaneously building AI governance inventories and incident notification playbooks. The convergence of DORA operational reporting and EU AI Act supervisory expectations is the defining European regulatory challenge for insurance IT governance in the next 18 months, as FINMA’s own 2026 cybersecurity enforcement findings have illustrated even outside the formal EU DORA perimeter.
DORA’s 20-Category Scope and What Comes Next for Insurance Operations
The regulation covers 20 different types of financial entities, including insurance undertakings, reinsurers, and insurance intermediaries authorised under the Insurance Distribution Directive. The finding that the direct impact on clients and transactions was generally limited across the 3,383 incidents is the one reassuring data point in the 2025 baseline — but it also sets the floor for future cycles. National competent authorities now have the denominator to identify statistical outliers. For cross-border insurance groups, the coordinating challenge is structural: which entity notifies which national competent authority first, under which home-state rule, within which time zone’s four-hour window? DORA’s answer depends on where the affected entity is authorised, not where the disruption originated — a distinction requiring pre-agreed internal escalation protocols built now, before the 2026 cycle begins.
