European Banking Authority (EBA) has published its first annual report on serious ICT incidents within the EU's financial sector since the DORA regulation was implemented last year. The report reveals that financial institutions reported 3,383 incidents during the first year, with the Financial Inspectorate warning that some Swedish banks are not meeting regulatory requirements.
Report Key Data
- 3,383 serious ICT incidents reported by financial institutions in the EU
- 0.18 incidents per DORA-covered entity
- 1,128 incidents (~33%) had cross-border effects
- 338 incidents (~10%) related to cybersecurity
- System failures and external events were the main drivers
- Direct impact on customers and transactions generally limited
FI's Warning: Risk of Non-Compliance
The Financial Inspectorate has mapped and analyzed how financial institutions in Sweden comply with the DORA regulation. Results indicate a risk that some companies are not meeting regulatory requirements, which FI addresses in its latest stability report 2026:1.
"The DORA regulation is fully applied in Sweden since last year," writes FI. "Results indicate a risk that some companies are not meeting regulatory requirements."
Sweden's Position within the EU
As an EU member, Sweden is directly affected by DORA regulation. All Swedish banks and payment service providers are subject to the same reporting obligations as other member states. FI already has regulatory authority over payment preparedness, which strengthens Sweden's position in implementing DORA.
Geopolitical Context
The report is published in a time of geopolitical uncertainty. During spring 2026, conflicts in the Middle East caused significant price movements and high volatility in global markets, increasing the likelihood of stronger economic slowdown.
"FI proposes new legislation for regulatory powers over financial companies in wartime situations," states the report. "The Riksbank already has regulatory authority over payment preparedness."
Economic Development
The Swedish economy is slowly recovering from the recession. Inflation has fallen, but many households remain concerned. DORA implementation occurs in a context where financial stability is particularly important.
AI and Cybersecurity
EBA emphasizes that AI-driven tool development requires enhanced cybersecurity. Only 10% of the reported incidents were related to cybersecurity, indicating there is room for improvement in this vital sector.
Future Challenges
- Continuous monitoring of DORA compliance
- Governance of AI tools in the financial sector
- Increased preparedness for cross-border incidents
- Adaptation to new legal requirements in crisis situations
Conclusion
DORA's first year has revealed a significant number of incidents within the EU's financial sector. Although the direct impact on customers and transactions has been limited, FI points to compliance risks that need to be addressed.
The 3,383 incidents provide an eye-opening picture of the digital vulnerability of the EU's financial sector. Sweden, with its strong financial infrastructure, is well-prepared, but must continue working on operational resilience to meet future challenges.
FI's stability report 2026:1 emphasizes the importance of continued strong operational resilience among financial institutions, particularly in a time of geopolitical uncertainty and digital transformation.