DORA Compliance: A Practical Guide for Irish Financial Services
The Digital Operational Resilience Act is in force. Here's what it requires, who it applies to in Ireland, and how to approach it practically.
The Digital Operational Resilience Act (DORA) has applied across the EU since January 2025. If your organisation is a financial entity — or a critical ICT provider to one — you are already subject to its requirements.
DORA is significant because it goes beyond cybersecurity policy. It requires demonstrable operational resilience: tested recovery capabilities, documented ICT risk management, and contractual accountability right down your supply chain. This guide explains what that means in practice for Irish financial services firms.
Who Does DORA Apply To?
DORA applies to a wide range of financial entities, including:
- Credit institutions (banks, credit unions)
- Investment firms and fund managers
- Insurance and reinsurance undertakings
- Payment institutions and e-money institutions
- Crypto-asset service providers
- Central counterparties and trading venues
- Account information service providers
It also applies to ICT third-party service providers designated as "critical" by the European Supervisory Authorities (ESAs) — meaning cloud providers, data analytics platforms, and managed security service providers that serve the financial sector may fall directly in scope.
Proportionality: DORA applies a proportionality principle for smaller and less complex entities. Microenterprises (fewer than 10 employees and under €2M turnover) have simplified obligations, but are still in scope.
The Five Pillars of DORA
1. ICT Risk Management
You must have a comprehensive ICT risk management framework — documented, board-approved, and regularly tested. This includes:
- An up-to-date inventory of ICT assets and their interdependencies
- Protection and prevention measures for each identified risk
- Detection capabilities for anomalous activity
- Response and recovery plans, including business continuity and disaster recovery
The framework must be integrated with your overall business risk management — not treated as a standalone IT exercise.
2. ICT-Related Incident Management
DORA sets specific classification and reporting requirements for ICT incidents:
- Major incidents must be reported to your competent authority:
- Initial notification within 4 hours of classification (or 24 hours of becoming aware)
- Intermediate report within 72 hours
- Final report within 1 month
- You must have a management process for detecting, classifying, and escalating ICT incidents
- Significant cyber threats (even if no incident occurred) must also be reported on a voluntary basis
Accurate classification is critical. Under-reporting a major incident carries significant regulatory risk.
3. Digital Operational Resilience Testing
Financial entities must conduct regular resilience testing — and for significant institutions, this includes Threat-Led Penetration Testing (TLPT):
- Basic testing (all entities): Annual vulnerability assessments and scenario-based testing
- TLPT (significant entities): At least every 3 years, conducted by qualified external testers, covering live production systems
Your testing programme must be documented, results must feed into remediation, and the board must be informed of outcomes.
4. ICT Third-Party Risk Management
This is where DORA has the broadest impact. You must:
- Maintain a complete register of all ICT third-party service providers
- Conduct thorough due diligence before onboarding any ICT provider
- Include specific contractual provisions in all ICT contracts (audit rights, exit strategies, SLAs, security requirements)
- Conduct ongoing monitoring of critical ICT providers
- Develop exit strategies so you're never locked into a single provider without a contingency
For contracts with critical third-party providers, ESAs provide regulatory technical standards specifying exactly what must be in those contracts.
5. Information and Intelligence Sharing
DORA encourages (and in some cases requires) the sharing of cyber threat intelligence between financial entities. Participation in information sharing arrangements is voluntary but demonstrates proactive compliance.
The Irish Regulatory Context
In Ireland, DORA is overseen by:
- Central Bank of Ireland (CBI) — the competent authority for most financial entities
- Department of Finance — for entities not supervised by the CBI
The CBI has been clear that it expects regulated entities to be compliant and has integrated DORA requirements into its supervisory framework. The Cross-Industry Guidance on IT and Cybersecurity Risks, which Irish firms have been required to address since 2016, aligns significantly with DORA but the bar is now materially higher.
How to Approach DORA Compliance Practically
- Establish scope — confirm which pillar requirements apply at your entity's size and classification
- Run a gap assessment — map your current ICT risk management, incident processes, and third-party register against DORA's requirements
- Prioritise the register — your ICT asset and third-party inventories are foundational; nothing else works without them
- Fix your contracts — identify ICT contracts that lack DORA-required provisions and begin renegotiation
- Build your testing programme — even if TLPT doesn't apply to you, annual vulnerability testing is required for all entities
- Document everything — DORA compliance is demonstrated through documentation as much as through actual controls
Assess Your DORA Readiness in 15 Minutes
Shield IQ's DORA compliance assessment covers all five pillars with scored, AI-analysed responses. You'll get a maturity score per domain, a prioritised gap list, and a remediation action board — all free.
Start your DORA assessment today at app.shieldiqcyber.com
No credit card. No sales call. Under 15 minutes.