Cyberattacks are no longer isolated IT events, they’re a growing threat to the entire financial system. According to a new in-depth report by the European Securities and Markets Authority (ESMA), the increasing frequency, sophistication, and financial impact of cyber incidents could spark systemic liquidity shocks in EU financial markets, especially if critical infrastructure nodes are targeted.
The report, Operational and cyber risks in EU financial markets: measurement and stress simulation, highlights how financial institutions are especially vulnerable due to their central role in data handling and capital movement. The study finds that malicious cyber operations (ransomware, DDoS attacks, data breaches, and supply chain intrusions) have nearly doubled since the COVID-19 pandemic. The estimated losses tied to cyberattacks have reached $28 billion since 2020, with broader estimates suggesting annual global costs in the hundreds of billions.
One of the most impactful sections of the report involves a stress simulation conducted on the EU’s repo market; it models a scenario in which a cyberattack disables one of the top ten settlement nodes, core institutions responsible for processing repo transactions. The result: an average liquidity shortfall of €35 billion across the system. In extreme cases, this could rise to over €95 billion, temporarily affecting over 100 financial institutions and disrupting market stability.
ESMA’s data also reveals that cyber risk is amplified by third-party dependencies. Even smaller institutions or custodians with weaker security postures can pose systemic risk due to their central position in the financial infrastructure web. The report’s reverse stress tests show that attacks on these “less critical” nodes could still trigger €5 billion liquidity shocks, especially in cases where multiple institutions depend on a single settlement provider.
Digital Operational Resilience Act
The study underscores the importance of the new Digital Operational Resilience Act (DORA), which became effective in January 2025. DORA mandates structured, EU-wide reporting of major ICT incidents; it aims to fill the current gap in reliable data, which has hindered proper risk quantification and mitigation. Under DORA, firms must report details such as sector classification, time of service restoration, number of affected clients, and financial losses.
Still, ESMA emphasizes that regulation alone isn’t enough. Firms must invest in advanced cybersecurity, develop thorough incident response plans, and promote internal cyber hygiene. ESMA also calls for more harmonised international cooperation, noting that cyber threats are borderless, and that systemic resilience requires coordinated global action.
For fintechs, digital banks, and institutional investors, the report is a wake-up call. It shifts the conversation around cybersecurity from compliance and IT strategy to financial risk management and macroprudential stability. In a sector increasingly defined by automation, interconnected systems, and real-time data flows, the next big market shock may come not from a trading floor, but from a keyboard.
Sources:
- ESMA – https://www.esma.europa.eu/sites/default/files/2025-07/ESMA50-1949966494-3823_TRV_risk_article_-_Operational_and_cyber_risk_measurement_and_modelling.pdf
