knowledge 21 November 2024 |

The Final Countdown: Complying with the Digital Operational Resilience Act (DORA)

In-scope firms (such as investment firms, insurance undertakings, management companies, credit institutions, crypto-asset service providers, payment institutions and electronic money institutions) must comply with the Digital Operational Resilience Act (“DORA”) by 17 January 2025.

As well as imposing requirements on financial entities, DORA also imposes requirements on ICT third-party service providers.

Could you be a critical ICT third-party servicer provider?

Whether an entity could be a critical ICT third-party service providers depends on whether:

(a) the entity has a systemic impact on the provision of financial services;

(b) the importance of the EU financial entities relying on the entity;

(c) the reliance of financial entities on the functions supported by the entity; and

(d) the degree of substitutability of the entity i.e. whether alternative providers could provide similar services.1

If the entity is part of a group, the criticality of the whole group will be considered.

For information on whether you are in-scope of DORA, please see our briefing here.

DORA Industry Briefing:

On 6 November 2024, the Central Bank of Ireland (the “CBI”) held a DORA Industry Briefing setting out regulatory expectations for firms within the scope of DORA. Some of the key takeaways were as follows:

  • DORA is a fully cross-sectoral and wide-scope piece of regulation. It seeks to introduce a single, far-reaching framework of regulation that can be applied to every financial firm whatever their size, complexity, and business model.
  • For firms subject to DORA’s advanced threat-led penetration testing, the CBI will hold dedicated workshops for those entities that it identifies as being in-scope.
  • DORA represents in many respects what any well managed firm should be doing. In some sectors, many of the requirements under DORA are already in place under sectoral legislation. For these firms, the gap to implementation is smaller. In particular, firms should not expect regulatory leeway with respect to obligations under DORA which overlap with obligations imposed by the Payment Services Directive and NIS 2 Directive (on measures for a high common level of cybersecurity across the European Union).2
  • The CBI expects firms to have clearly identified gaps to compliance with DORA and to be moving quickly to close those gaps. The CBI will assess firms’ performance including by having regard to their appropriate starting point, the quality of their approach, and their timely closing of any gaps.
  • In certain areas, such as incident identification and reporting, firms will be expected to strictly comply with the requirements without delay.
  • The CBI expects financial entities to report ICT incidents that meet the materiality criteria for reporting under DORA even if a critical ICT third-party service provider has already reported an ICT incident to the CBI.

How can we help?

McCann FitzGerald LLP is a premier law firm in Ireland and stands ready to assist in-scope entities, as they prepare for full compliance with DORA by the deadline of 17 January 2025.  For assistance, please get in touch with one of the below key contacts, or your usual contact at the firm.

  1. Article 31(2) of the DORA Regulation.
  2. Our briefing on NIS 2 is available at: https://www.mccannfitzgerald.com/knowledge/technology-and-innovation/nis-2-implementation-by-october-2024-government-publishes-general-scheme-of-national-cyber-security-bill

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.