Your vendor contracts are a DORA risk. Here's the data.

The ESAs' first DORA report is out: 3,383 major ICT incidents in 2025, 29% from vendors. Here's what the data reveals about the contract visibility gap most firms still haven't closed.

By Johan Montelius Hedberg. Published June 2026.

The European Supervisory Authorities just published the first ever EU-wide report on major ICT incidents under DORA. It's the first real look at how DORA third-party risk is playing out across the EU. If you work in legal or compliance at a regulated financial institution, it's worth reading.

The numbers aren't scary. The report is careful and measured. But inside it is a structural problem that no cybersecurity budget can fix. It's a contract problem. And it's yours to deal with.

One in three incidents started with a vendor

In 2025, regulated firms across the EU reported 3,383 major ICT incidents under DORA Article 19. Banks made up over 60% of those. Payment firms added another 16%. That's an average of 282 incidents every month.

One number stands out: almost one in three incidents (29%) started with a vendor failing. Not a hacker. Not a rogue employee. A third-party provider.

"Not a cyberattack. Not a rogue employee. A vendor."

Why preparation has to come first

Under DORA Article 19, when a major incident hits, the clock starts. You have four hours to file your first notification. 72 hours for your intermediate report. And one month for your final report, which needs to include the root cause.

What regulators will ask next, and where most firms aren't ready

The ESA report isn't only about 2025. Regulators are building systems to cross-check your incident reports against your contracts.

The pre-DORA contract problem

Most firms hold hundreds, sometimes thousands, of vendor agreements. They were written by different teams, over many years, before DORA existed.

The visibility gap of DORA compliance

The ESA report breaks down the root causes of major incidents: system failures at 51%, external events at 32%, process failures at 19%, and human error at 12%.

Three questions to ask before the next incident

  1. Do you have a proper register of ICT third-party arrangements that meets DORA's Register of Information requirements?
  2. Do your key vendor agreements include DORA-aligned notification terms?
  3. Can your team find the right contract terms in minutes, not days?

What operational resilience actually looks like

The firms that contained damage fast had one thing in common. They knew their contracts before the incident hit.

We built it for DORA's reality

It gives your team the right structure for the DORA Register of Information: the correct fields, the correct format, built to what regulators require.