Regulatory Wrap episode 83: ESA’s first DORA report stresses third-party risk oversight

In Regulatory Wrap for the week to June 26, Kathryn Fallah discusses the top operational resilience takeaways from the ESA’s DORA report on ICT-related incidents.

02 July 2026 2 mins read
Profile picture of Kathryn Fallah By Kathryn Fallah

In Regulatory Wrap for the week to June 26, 2026:

In this week’s Regulatory Wrap, we unpack findings from the ESA’s first-ever DORA report on ICT-related incidents, which reinforce the importance of strong resilience measures and third-party risk oversight to keep pace with developing threats.

Highlights:

1. The ESA’s DORA report, which provides an overview of major ICT-related incidents in the EU financial sector, found that 3,000 incidents were reported in 2025 – with one-third having a cross-border impact

2. Shared infrastructures and third-party reliance magnify threats, with the report stating that “risks can be amplified by the interconnections within individual sectors and across the broader financial system”

3. Of the reported incidents, 51% were due to system failures, 27% to external events, and 19% to process failures

4. While cybersecurity incidents accounted for only 10% of those reported, the ESA noted that existing cybersecurity controls may not always be defensible against advancing attacks and should be tested regularly

5.  These findings in mind, the firms that prioritize resilience and ensure they have robust, updated frameworks in place – supported by security-first vendors – will be able to navigate the twists and turns of the current threat landscape

This week’s Regulatory Wrap is brought to you by Global Relay’s Content Writer, Kathryn Fallah.  

Well-maintained risk frameworks are essential to manage disruptions that could impact your organization – and the firms that adapt fastest will be the ones pulling ahead of the rest.