Since 17 January 2025, financial entities have had to notify the Federal Financial Supervisory Authority (BaFin) of every major incident affecting their information and communication technology (ICT). Article 19 of the Digital Operational Resilience Act (DORA) requires it. On 16 July 2026 the supervisor published its first annual analysis, and the quotable number appears in the second line: 733 incidents, some 1,200 affected firms, half of them caused by third parties. That reads as a clear story. It is merely an incomplete one, and you only notice once you place the European report beside it.
One point deserves to come first, because it tends to get lost whenever cyber risk is discussed. Attacks are the exception in this data set. Eleven per cent of incidents are cybersecurity incidents, and only the successful attacks appear there at all. Nine out of ten reported incidents are operational disruptions: a botched update, a misconfiguration, a data centre outage. The European report arrives at ten per cent and draws the same conclusion. The safeguards appear to be working. That is the good news, and it belongs at the top, so that what follows is not mistaken for an alarm.
Phishing leads with 19 incidents for the year, malware follows with 17.
The number everyone quotes
733 incidents, then. The figure looks precise, and it is. What it counts, however, is reports rather than events, and the two are not the same thing. BaFin sets them out separately. Around 60 incidents originated at a third party and hit several institutions at once; the supervisor calls these overarching incidents. Those 60 events produced 315 reports. Count each cause once and the year leaves you with 478 independent incidents.
The arithmetic closes exactly, which is precisely why nothing here is being obscured: 315 reports less 60 events gives 255 duplicate counts, and 733 less 255 is 478 on the nose. BaFin sets out both figures. Only one of them made the headline.
The chain closes upwards too. For 38 of the 733 reports, a service provider filed on behalf of others, covering some 55 affected institutions on average. Without that pooled mechanism, BaFin writes, institutions would have had to report 2,073 further incidents. The same reality would then have generated roughly 2,806 reports. Between the smallest and the largest defensible figure sits a factor of 3.8. That is not measurement error. That is the counting convention.
The obvious objection is that every official statistic rests on conventions, from the unemployment rate to gross domestic product. The objection lands. BaFin has never claimed the 733 to be a measure of risk either; its publication is titled an analysis of the reporting regime, not a risk assessment. Except that with unemployment figures we argue about fifteen per cent. Here the argument is about a factor of 3.8.
The gap between the two series is the effect of the cross-cutting incidents.
The comparison the source cannot draw
On 3 June 2026 the three European Supervisory Authorities (ESAs) published their first joint report on major ICT-related incidents: the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA). Across the EU there were 3,383 in 2025, an average of 0.18 per reporting entity. Germany accounts for roughly 22 per cent of that with its 733. Against some 3,600 DORA-obligated firms in Germany, that works out at 0.20 incidents per entity. The German financial sector sits squarely in the European middle. There is no volume problem.
The distribution is where it gets interesting. Both reports use the same taxonomy, prescribed by Commission Delegated Regulation (EU) 2024/1772. System failures land almost level: around 50 per cent across Europe, 46.7 in Germany. So does human error, twelve per cent against 8.9. And then it comes apart:
Cause attributable to a third party: Europe 29 per cent, Germany 50 per cent.
External event as root cause: Europe 32 per cent, Germany 54.3 per cent.
Payment-related incidents: Europe 18 per cent, Germany 45.0 per cent.
Because Germany contributes roughly 22 per cent of the European total, it pulls the EU average up by its own weight. Strip Germany out and the rest of Europe reports external events at around 26 per cent. The German figure is more than double that. That 26 per cent appears in no report: the European document carries no member-state breakdown, and the figure is derived from the difference.
The obvious reading is that German service providers fail more often. It is not far-fetched. The German banking network concentrates the core banking systems of hundreds of savings banks and cooperative banks in a handful of providers, essentially Finanz Informatik and Atruvia, and BaFin itself notes that network service providers in particular make use of the pooled reporting route. A structural effect is therefore possible and cannot be ruled out. Yet the explanation explains too little. It does not account for why payment-related incidents, of all things, are reported two and a half times as often in Germany.
Share of the 733 reported incidents
171 against 106
The clue sits in both documents; you only have to add the percentages up. The German incident-type shares total 171.1 per cent, the European ones 106. Both reports permit multiple classification: an incident can be payment-related and an external event at the same time. Germany uses that option. Europe, on average, barely does.
The ESAs noticed as much themselves. On their incident-type chart they write that the figures need careful interpretation, potentially because of specific reporting practices. The accompanying footnote is blunter: the high number of incidents at credit institutions, combined with the competent authorities' own assessment, may point to potential under-reporting of payment-related incidents. The reason they offer is diverging reporting practices, with entities not selecting all applicable options.
That tips the explanation over. Payments provide the control case: it is exactly where the ESAs suspect under-reporting, and exactly where the German deviation is widest, 45.0 against 18 per cent. On that reading Germany would be less the outlier than the control case, showing what the European figure might look like if every applicable field were filled in everywhere.
Honesty requires the conditional. The ESAs write that reporting practice may be a cause, not that it is. What is established is the difference, not its origin. It also bears saying that no other European supervisor has published a national incident analysis of this kind at all. Not the Dutch DNB, not the French ACPR, not the Austrian FMA, not the Banca d'Italia. Report more completely and publish more openly, and you look worse in the statistics. That is not irony. It is a property of reporting systems.
Share of the 733 reported incidents
What the 733 actually conceal
An argument about counting should not obscure the substance, and the substance is remarkable enough. Sixty of 478 independent incidents, an eighth of the events, generated 315 of 733 reports, four tenths of the reporting load. A single such incident at a third party hit 39 financial entities on average.
More telling still is a gap that appears in no headline. Around 1,200 firms were affected; 355 filed. Over 800 institutions experienced a reportable ICT incident in 2025 and never appear in the filing statistics, because a provider submitted on their behalf. The clearest line is the last one: six firms were affected by more than ten incidents, yet nine firms reported more than ten. Those are the providers filing for others.
What that looks like in practice was on display on 1 June 2025, when the S-pushTAN app and savings bank online banking went down nationwide; a cyber attack was ruled out early. Or on 27 February 2025, when TARGET2 was unavailable for hours after a hardware fault, again no attack. Whether either case fed into the 733 is not on the public record. As a pattern they are exact: one outage, many affected, few filers.
The distribution by type of undertaking is equally lopsided: 512 of the 733 reports, just under 70 per cent, come from credit institutions. Payment institutions follow with 81, insurers with 69.
Absolute number of reports
Major means long, not expensive
A second finding explains why the statistics look the way they do. Under DORA an incident counts as major once it breaches defined thresholds. Two criteria dominated in Germany: duration and service downtime in 75.3 per cent of incidents, affected clients and transactions in 67.1 per cent. Economic impact triggered the obligation in only 6.5 per cent.
That reads as though DORA ignored financial damage. It does not: 100,000 euros in cumulative costs is a criterion in its own right. It simply binds rarely, and the reason is not harmlessness but the clock. An institution knows within the day that a critical service has been down for more than two hours. What the outage cost, it knows in months. The criteria fall in precisely the order in which they become observable: duration 75.3, clients 67.1, geographical spread 28.0, reputational damage 19.0, data loss 15.8, economic impact 6.5 per cent. This statistic measures what can be seen during an incident. Not what the incident costs.
The same mechanism accounts for a third oddity. In absolute terms the smaller and medium-sized institutions filed more than the significant ones, 462 incidents against 161. Normalise against the number of houses BaFin itself gives and it inverts: 3.22 incidents per significant institution against 0.42 per smaller one, a factor of 7.6. That reads like evidence that large banks are more fragile. It is at least as much a threshold artefact. One of the client criteria reads: more than 100,000 affected clients, in absolute terms. A large bank clears that mark in passing. A savings bank with 50,000 customers can never structurally clear it at all.
Share of the 733 reported incidents where the criterion triggered the reporting duty
Pooled reporting is itself a concentration risk
BaFin explicitly encourages smaller institutions to explore further pooled reporting arrangements with their providers. The purpose is relief, and the relief is real: 38 reports covered roughly 2,100 instances of exposure. It would also be unfair to hold that against the supervisor. It does not hide the effect, it sets out the 2,073 itself, and the mechanism is not a German invention but a European one: Article 7 of Implementing Regulation (EU) 2025/302 governs it.
The more serious objection is operational. Report through a pool and you hand a provider the timing, the content and the quality of a notification for dozens of institutions at once. File late or classify low, and all of them are misreported simultaneously, and none of them knows. Article 19(5) DORA leaves no room here: an institution may outsource the reporting obligation but remains fully responsible for fulfilling it. Responsibility does not travel with the task.
Nor does the mechanism relieve as much as it appears to. Article 7 permits a pooled report only where each affected institution has classified the incident as major itself. The classification therefore stays in-house, and classification is the hard part, not the form. What gets outsourced is the filing, not the judgement under time pressure. That same condition, incidentally, is why the 2,073 is not a rough extrapolation: those institutions had classified. They simply did not file.
Why 2026 will not be comparable
Anyone reading next year's analysis will see a change and want to interpret it. That will be harder than it looks, because at least three effects run at once and point in different directions. More pooled reporting pushes the number down, exactly as BaFin recommends. Growing routine in the second reporting year pushes it up; the supervisor notes itself that data quality improved markedly over the year. And 2025 is structurally short: the reporting window opened only on 17 January, and updates arriving after 26 January 2026 are excluded.
An increase in 2026 would therefore not merely be noisy. Without decomposition it would not be identifiable at all. You could not say which of the three effects produced it.
What this means for institutions
Where an incident is both payment-related and an external event, both fields belong ticked. The ESAs suspect that this frequently fails to happen. A firm that ticks only one field reports correctly in form and hands the supervisor a distorted picture. A sample across your own 2025 notifications answers the question in an afternoon.
Article 7 of Implementing Regulation (EU) 2025/302 requires each affected institution to classify for itself; Article 19(5) DORA keeps responsibility in-house. Firms using the pooled route should be able to evidence the basis on which their own house classified, rather than point to the provider's assessment. BaFin also warns that it cannot retrospectively split a pooled report, and that only institutions supervised by exactly the same authorities may be bundled together.
Downtime beyond two hours on a service supporting a critical or important function breaches the threshold regardless of how many clients are affected. It is the trigger in 75.3 per cent of cases. A firm that does not monitor its critical functions against that boundary learns about its reporting obligation instead of raising it.
The 733 is not a concentration metric. The register of information under Article 28(3) DORA is one: every institution records all its contractual arrangements for ICT services there. The question is not how many incidents the supervisor counted, but how many of your own critical functions depend on the same provider and what falls over simultaneously when it fails. For 19 providers the EU answered that question in November 2025, by designating them critical.
Which leaves the question of what to make of the 733. The answer is unspectacular. It is a clean analysis of a reporting regime, precise about what it measures, and BaFin sets out the alternatives itself. The error creeps in afterwards, among those who pass the number on. A reporting regime measures what gets reported. Turn that into a risk assessment and you have taken one step too many.