knowledge 21 March 2025 |

DORA Digest: Key developments during January to March 2025

The Digital Operational Resilience Act (DORA), along with its regulatory technical standards (RTS) and implementing technical standards (ITS), has applied since 17 January 2025 and there have been several developments since. DORA is aimed at achieving a high level of digital operational resilience for regulated financial entities to ensure that they can withstand and respond to cyber threats and ICT-related incidents. As financial entities continue to grapple with DORA compliance, we have set out below some of the notable developments.

16 January 2025: Guide published by the Central Bank of Ireland on how to submit incident reports through the CBI Portal

On 16 January, the Central Bank of Ireland (CBI) published a ‘Guide to submitting major ICT–related incidents and significant cyber threats report(s) on the Central Bank of Ireland Portal’. The Guide provides systems guidance to assist financial entities in using the CBI Portal for submitting a major ICT-related incident and significant cyber threat report to CBI. The Guide also links to the relevant reporting templates available on the CBI website.

17 January 2025: European Union (Digital Operational Resilience) Regulations 2025

On 17 January, the European Union (Digital Operational Resilience) Regulations 2025 (S.I. No. 12 of 2025) came into operation. These Regulations make targeted amendments to various pieces of legislation that are relevant to in-scope DORA financial entities, including:

  • European Communities (Undertakings for Collective Investment in Transferable Securities) Regulations 2011.
  • European Union (Alternative Investment Fund Managers) Regulations 2013.
  • European Union (Capital Requirements) Regulations 2014.
  • European Union (Bank Recovery and Resolution) Regulations 2015.
  • European Union (Insurance and Reinsurance) Regulations 2015.
  • European Union (Markets in Financial Instruments) Regulations 2017.
  • European Union (Payment Services) Regulations 2018

Some of the targeted amendments are aimed at ensuring that the network and information systems of financial entities are set up and managed in accordance with DORA.

20 January 2025: Updated DORA Q&A from the Pensions Authority addressing the reporting of major ICT-related incidents and cyber threats

On 20 January, the Pensions Authority published an updated DORA Q&A for pensions schemes to address the reporting of major ICT-related incidents and cyber threats to the Pensions Authority. The Pensions Authority is the competent authority under DORA for pensions schemes with 16 or more active and deferred members (see our previous briefing that discusses the implications of DORA for trustees of pensions schemes). The updated Q&A addressed the following:

  • How to report major ICT-related incidents to the Pensions Authority and it includes links to the relevant reporting templates.
  • Pensions Authority confirmed that the reporting of major ICT-related incidents could, in accordance with Article 19(5) of DORA, be outsourced to a third-party provider but that the trustees remain responsible for complying with reporting requirements. It also noted that the ‘Implementing Technical Standards on reporting major ICT-related incidents and significant cyber threats’ require pensions schemes to notify the Pensions Authority where they outsource this function, and a further notification is required where the outsourcing is cancelled.

22 January 2025: European Commission confirms that financial services are not ‘ICT services’

On 22 January, the European Insurance and Occupational Pensions Authority (EIOPA) published the European Commission’s response to a Q&A that provides welcome clarification on the definition of ‘ICT services’ under DORA. In this regard, financial services that entail an ICT component are not to be classified as ‘ICT services’ for the purposes of DORA.

Article 3(21) of DORA defines ICT services as “digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services” and recital 35 states that it is to be understood in a broad manner. This raised concerns for the financial services industry because, in practice, many financial services incorporate an ICT component, meaning a very broad definition could lead to over-regulation.

In a Q&A, the European Commission considered the definition of ICT services. While it repeats the general principle that the definition of ICT services is intentionally broad, it helpfully provides a test for financial entities to use to assess whether a particular service should be classified as an ICT service. In this regard, the Q&A notes that the receiving financial entity should consider the following two questions:

  1. Do the services constitute an ICT service under DORA?
  2. Is the providing financial entity and the services it provides regulated under EU law or under the national law of an EU Member State or third country?

Where the answer to both questions is yes, the services are to be considered as the provision predominantly of a financial service and not an ‘ICT service’ for the purposes of DORA. The European Commission added, however, that where the service is unrelated or independent from the regulated financial service, it should be considered an ‘ICT service’ under Article 3(21) of DORA.

31 January 2025: European Commission rejects draft RTS on Subcontracting

On 31 January, the European Commission published a letter dated 21 January to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs) rejecting the draft Subcontracting Regulatory Technical Standards (RTS) on the elements a financial entity needs to determine when subcontracting ICT services supporting its critical or important functions. The draft RTS was submitted to the Commission last Summer.

The European Commission, however, rejected the draft RTS on the basis that the provisions in Article 5 relating to the monitoring of the subcontracting chain went beyond the scope of the ESAs mandate. In the rejection letter, the Commission stated that Article 5 (and the related recital 5) would need to be removed in order for the Commission to adopt the RTS. The ESAs have since issued an Opinion accepting the amendments proposed by the Commission commenting that they ensure that the draft RTS is in line with the ESAs mandate set out under DORA. The ESAs have urged the Commission to adopt the draft RTS without further delay. Further information is available in our previous briefing.

7 February 2025: CBI update on submitting Registers of Information

Financial entities that are subject to DORA are required to submit Registers of Information in relation to all contractual arrangements for the use of ICT services that are provided by ICT third-party service providers (please see our previous briefing for more information). On 7 February 2025, CBI announced the creation of a new web page with information on the DORA Register of Information submissions, including the format required for the submissions. The web page states that Register of Information submissions are to be made between 1 and 4 April 2025 using the CBI Portal. Notably, the Register of Information should contain all data required by the ITS as of 31 March 2025. On 18 March, CBI also uploaded a ‘key resources’ document (see here) to assist financial entities with their register preparations.

A ‘how to’ guide on how to submit Registers of Information using the CBI Portal is due to be published on 21 March. Also, the multifactor authentication mechanism used by the CBI Portal is being upgraded so financial entities are to expect changes to the authentication and access process.

11 February 2025: European Union (Digital Operational Resilience) (No. 2) Regulations 2025

On 11 February, the European Union (Digital Operational Resilience) (No. 2) Regulations 2025 (S.I 20 of 2025) (“2025 Regulations”), which focus on the Central Bank of Ireland’s (CBI) role and also provides for a deferred application of DORA to credit unions, were introduced by the Minister for Finance. Some notable aspects of the 2025 Regulations include:

  • DORA shall not apply to credit unions (within the meaning of the Credit Union Act 1997 (No. 15 of 1997)) until 17 January 2028;
  • CBI has been designated as the competent authority in Ireland for the following:
    • Threat Led Penetration Testing (TLPT) related matters; and
    • One of its staff members will be the Irish high-level representative for the DORA Oversight Forum. The DORA Oversight Forum will discuss developments on ICT risk and vulnerabilities with a view to coming up with a common position.
  • CBI is to have all powers necessary for the performance of its functions and duties under DORA and the 2025 Regulations. In this regard, it can impose sanctions including those listed below after having conducted an inquiry into the conduct of regulated financial entity or a person concerned in its management.  CBI can also dispense with an inquiry and impose sanctions where the prescribed contravention (which now includes a DORA contravention) has been acknowledged. The sanctions include:
    • An order to cease conduct that breaches DORA and to desist from repeating that conduct.
    • A temporary or permanent cessation of any practice or conduct that CBI considers to be contrary to DORA and not to repeat that conduct.
    • The adoption of any type of measure, including those of a pecuniary nature (e.g. fines).
    • Public notices and public statements identifying the financial entity who contravened DORA and the nature of the breach.

Notably, sanctions can also be imposed on members of the financial entity’s management body and to other individuals under any relevant enactment who are responsible for the breach.

18 February 2025: Roadmap for Critical Third-Party Providers (CTPPs)

On 18 February, the ESAs published a roadmap to designate critical ICT third-party service providers (CTPPs) (see our previous briefing for details of who may be a CTPP). DORA will have a more significant impact for those ICT third-party service providers who are designated by the ESAs as ‘critical’ as they will be subject to a direct oversight regulatory regime by one of the ESAs. The roadmap outlines the journey for designation as a CTPP:

  1. Submission of Registers of Information - By 30 April 2025, competent authorities (e.g. Central Bank of Ireland) are to submit the Registers of Information on ICT arrangements that they receive from financial entities to the ESAs.
  2. Criticality Assessments - The ESAs will perform the criticality assessments mandated by DORA and notify ICT third-party service providers of their classification as critical by July 2025. This notification will start a six-week period during which ICT third-party service providers may object to the assessment with a reasoned statement and relevant supporting information.
  3. Final Designation - After the six-week period, the ESAs will designate CTPPs and start oversight engagement with them.

Once the list of CTPPs has been published, ICT third-party providers who have not been designated as a CTPP may voluntarily request to be designated as a CTPP.

7 March 2025: ESAs Opinion on the Subcontracting RTS

On 7 March, the ESAs published an Opinion on the European Commission’s rejection of the draft Subcontracting RTS noting that it does not propose any changes to the European Commission’s suggested amendments and it urged the European Commission to finalise the adoption of the RTS without further delay. For further information, please see our previous briefing. Once the RTS is adopted, it will undergo parliamentary scrutiny for three months and it will then be published in the Official Journal of the European Union entering into force on the day stated therein (usually twenty days after).

12 March 2025: Updated DORA Q&A from the Pensions Authority regarding ICT services

Following the European Commission’s clarification in January regarding what types of services are ‘ICT services’ under DORA, the Pensions Authority released version 5 of its DORA Q&A. In the Q&A, the Pensions Authority states that trustees must carry out an assessment in order to determine which, if any, of a scheme’s providers need to be included in its Register of Information. A decision tree (along with accompanying notes) has been published to assist with this assessment.

19 March 2025: ESAs update FAQs on the Register of Information

With the submission window opening shortly for financial entities to submit their first Register of Information, the ESAs released an updated FAQ addressing the preparation and reporting of Registers of Information. The new questions address how to populate the Register of Information. Overall, the FAQs are useful for practical guidance on completing templates, identifying ICT service providers and how to maintain and report registers at various levels. Additionally, the European Banking Authority’s website includes a number of helpful resources to assist with preparing your first Register of Information (see here).

How can we help?

For more information or assistance with DORA, please contact one of the key contacts below or your usual contact in McCann FitzGerald LLP.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.