ESMA: EU financial markets enter 2026 amid high‑risk environment
Cyber Resilience and Systemic Risk in Financial Infrastructure
The report states that cyber and operational risks remain at the highest intensity level, with cyber and hybrid threats representing an escalating concern for financial stability,. These risks are increasing in structural relevance, as the financial sector has become an increasingly prominent target for attacks,.
Key details regarding these risks include:
Escalating Cyber and Hybrid Threats
- Targeted Sector: The financial sector is among the most targeted in the EU. Recent data shows that the proportion of global cyber incidents attributed to the financial sector has risen from low single digits to low double digits,.
- Common Attack Methods: Attacks frequently exploit phishing (accounting for ~60% of initial access), unpatched vulnerabilities (~21%), and ransomware, which is considered a high‑impact threat.
- Systemic Impact: Cyber disruptions can propagate quickly through payment, clearing, and settlement chains due to the high degree of interconnectedness and reliance on shared technical services,.
Operational Vulnerabilities and Dependencies
- Third‑Party Reliance: A major vulnerability is the sector's heavy reliance on a limited number of critical ICT third‑party service providers,. This concentration creates upstream vulnerabilities where a single failure can propagate shocks across multiple participants and markets,.
- Crypto Sector Example: An outage of Amazon Web Services (AWS) on 20 October 2025 highlighted this dependency, affecting prominent centralized exchanges like Coinbase and Robinhood, as well as on‑chain Layer‑2 networks. Approximately 37% of Ethereum's execution nodes are currently hosted on AWS.
- Technological Risks: New financial innovations like tokenization inherit technical vulnerabilities, including smart contract bugs, governance flaws, and security breaches in digital wallets,.
Regulatory and Mitigating Efforts
- DORA: Has strengthened the EU's ICT‑risk management framework.
- CTTP Oversight: In 2025, European Supervisory Authorities initiated the designation of Critical ICT Third‑Party Providers (CTPPs) to address systemic risks stemming from reliance on a few technology providers.
- Resilience Frameworks: Efforts to enhance third‑party oversight, improve incident reporting, and conduct rigorous testing are central to mitigating future disruptions,.
