Resilience is less about preventing failure than proving control. The ESAs’ first report shows regulators care as much about the audit trail as the uptime, forcing a shift from technical fixes to demonstrable governance. Rohini Gupta, CEO of FinregE, The End-to-End Regulatory Operating System, reports.
The European Supervisory Authorities (ESAs) have released their inaugural assessment of major ICT-related incidents under Article 22 of the Digital Operational Resilience Act (DORA). The data presents a snapshot of the European Union’s financial sector’s digital pulse for 2025, with 3,383 major Information and Communication Technology (ICT) related incidents logged across credit institutions, payment providers and other regulated entities.
While the raw volume might suggest vulnerability to the untrained eye, the underlying narrative reveals a more complex reality. In an increasingly digitised, outsourced and interconnected ecosystem, operational incidents are not anomalies to be eradicated but inherent risks to be managed. The critical metric has shifted from absolute uptime to the capacity to respond, evidence and learn from failure in real time.
The distribution of these incidents illuminates the structural dependencies of modern finance. More than 60% of major incidents affected credit institutions, while a further 16% affected the payments sector. This concentration does not necessarily indicate institutional weakness but rather reflects the digital intensity and customer-facing nature of these sectors.
However, the source of the disruption offers a more profound insight. System failures and external events drove the majority of major incidents, with third-party ICT providers contributing to nearly one third of failures.
This statistic dismantles the traditional view of procurement as a back-office function. DORA has successfully reframed third-party ICT risk as a core component of operational resilience. A failure within a supply chain vendor can now cascade through critical services, affecting multiple entities, jurisdictions and sectors simultaneously. The report notes that one third of major incidents possessed cross-border implications, proving that a localized technology breakdown can fracture stability across the entire market.
The importance of proof
The strategic implication of these findings extends beyond technical fortification. The ESAs warn that resilience is becoming an evidentiary problem. A financial firm may possess robust technical controls and systems, yet under the new regulatory framework, these measures count for little without the ability to demonstrate them.
DORA effectively demands that firms prove how controls connect to regulatory obligations, critical services and third-party dependencies. Regulators require proof that decisions were made with appropriate oversight, that incident classifications were accurate and that remediation actions were timely and effective. And this evidentiary burden exposes a significant gap in the compliance operating models of many institutions.
Currently, numerous regulated organisations manage obligations, policies, risks, controls and incident logs across disconnected silos. When a disruption occurs, risk and compliance teams must often manually reconstruct the evidence trail to determine which obligations apply, which controls failed and which regulator requires notification.
Quite simply, this reactive model is unsustainable under DORA. The fragmented nature of legacy compliance infrastructure increases the risk of inconsistent reporting and delays in mitigation. The report highlights divergent reporting practices across sectors and jurisdictions, suggesting that without standardisation, supervisory convergence will remain elusive. To meet the expectations of the authorities, firms must adopt a compliance operating model that is connected, structured and auditable by design.
To bridge this gap, the industry requires technological infrastructure that enforces traceability. Forward-looking entities are beginning to deploy systems that link external regulatory obligations directly to internal policies, risks and controls. Such architectures allow compliance teams to maintain a live model from source regulation to internal implementation.
This approach eliminates the ambiguity of static policy libraries. When regulatory expectations evolve, or when the ESAs publish new guidance, the organisation must be able to identify what has changed, interpret the impact and route actions to the relevant teams instantly. Advanced operational models utilise automation to scan regulatory developments, classify updates and turn them into clear workflows with owners, deadlines and audit trails.
Furthermore, the emphasis on third-party driven incidents necessitates a transformation in how oversight is conducted. Firms must connect third-party risk requirements to relevant contracts, policies and assessment plans. Technology providers must support this by offering structured mechanisms to demonstrate how outsourcing services are monitored, how critical dependencies are assessed and how evidence of oversight activity is retained. This is particularly vital for critical providers where concentration risk is high. The goal is a defensible approach to ICT governance where every dependency is understood and every control is validated.
An enduring obligation
The path forward also demands a shift from reactive compliance to continuous resilience. DORA is not a one-off implementation project but an enduring obligation.
The ESAs will continue to monitor major incidents and focus on supervisory convergence. Firms must therefore establish a continuous model for tracking regulatory change, updating controls and testing compliance. The next phase of supervision will likely prioritise data consistency, reporting quality and the ability to show that lessons learned translate into stronger controls. Needless to say, boards and senior management will increasingly expect clear evidence of decision-making ownership and remediation progress.
The firms that will thrive under this regime are those that integrate regulatory change to obligations, obligations to controls, and controls to verifiable proof. Those that rely on manual evidence gathering or static documentation will find themselves exposed to regulatory sanction and reputational risk. In the new landscape of digital operational resilience, what cannot be evidenced cannot be proven.
The market, it would appear, is moving toward a standard where technology does not merely support compliance but constitutes the backbone of the firm’s ability to withstand disruption and satisfy its regulators. The architecture of trust is built on the strength of the audit trail.
FinregE: From Signal to Proof
The ESAs’ report underscores that resilience is as much an evidentiary challenge as a technical one. FinregE converts regulatory signals into auditable action. Its AI-driven scanning identifies updates, classifies impacts and routes them to owners with deadlines, ensuring DORA obligations are tracked across the organisation.
As The End-to-End Regulatory Operating system, FinregE establishes live traceability, mapping external obligations directly to internal policies and controls. This visibility highlights gaps in third-party governance and ensures vendor dependencies meet specific regulatory requirements. By unifying regulation, policy and testing, the system eliminates the fragmentation that weakens data quality.
For continuous assurance, FinregE schedules control tests and captures evidence in real time. Decisions and remediation are logged as work occurs, producing a regulator-ready audit trail. The result is an operating model where accountability is automatic and compliance is perpetual.
