Moira Cronin explains how the Digital Operational Resilience Act will impact Irish-based financial services providers, enhancing ICT risk management and digital resilience
The Digital Operational Resilience Act (DORA) came into effect on 17 January 2025.
Designed to consolidate and upgrade information and communications technology (ICT) risk requirements in the financial sector, DORA applies common standards to all financial system participants. Its aim is to mitigate ICT and cyber risks across providers’ operations.
So, what does this Act mean for financial services providers based in Ireland?
Legal basis
DORA removes obstacles to—and improves the establishment and functioning of the internal market for—financial services, by harmonising the rules applicable in ICT risk management, reporting, security control testing and ICT third-party risk.
Subsidiarity
The proposal harmonises the digital operational component of a deeply integrated and interconnected sector already benefitting from a single set of rules and supervision in most other key areas.
For ICT-related incident reporting, only EU harmonised rules could reduce administrative burdens and financial costs associated with reporting the same ICT-related incident to different EU and national authorities.
Proportionality
Proportionality is designed in terms of scope and intensity through qualitative and quantitative assessment criteria.
While the new rules cover all financial entities, they are also tailored to the risks and needs of their specific characteristics in terms of their size and business profiles.
Proportionality is also embedded in the ICT and cyber-risk management rules, digital resilience testing, reporting major ICT-related incidents and oversight of critical ICT and cyber third-party service providers.
Choice of instrument
The measures needed to govern ICT and cyber risk management, ICT and cyber-related incident reporting, testing and oversight of critical ICT and cyber third-party service providers must be contained in the regulation to ensure that the detailed requirements are effectively and directly applicable in a uniform manner, without prejudice to proportionality and specific rules foreseen by this regulation.
Three DORA requirements businesses should aim to achieve are:
1. ICT-related incident reporting
One of the main requirements for financial entities is to establish and implement a management process to monitor and log ICT and cyber-related incidents, followed by an obligation to classify them based on criteria detailed in the regulation and further developed by the European Supervisory Authorities (ESAs) to specify materiality thresholds. Only ICT-related incidents deemed significant must be reported to the competent authorities.
2. Cyber operational resilience testing
The capabilities and functions included in the ICT risk management framework need to be periodically tested for preparedness, identification of weaknesses, deficiencies or gaps and prompt implementation of corrective measures.
This regulation allows for a proportionate application of digital operational resilience testing requirements depending on financial entities' size, business and risk profiles.
3. ICT and cyber third-party risk
The regulation is designed to ensure a sound monitoring of ICT and cyber third-party risk; financial entities shall be required to observe several key elements in their relationship with ICT and cyber third-party providers, remaining fully responsible for complying with and discharging all obligations.
To this end, contracts governing this relationship will be required to include:
- At least a complete description of services;
- An indication of locations where data is processed;
- Full-service level descriptions accompanied by quantitative and qualitative performance targets;
- Relevant provisions on accessibility, availability, integrity, security and protection of personal data;
- Inspection and audit by the financial entity or an appointed third-party;
- Clear termination rights; and
- Dedicated exit strategies.
As such, DORA should be taken into consideration in close coordination with NIS Directive version 2, CBI Operational Resilience Guidelines and the EU Critical Infrastructure Directive.
DORA is part a package of digital finance measures designed to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks arising from it.
It aligns with the European Commission's priorities to make Europe fit for the digital age and build a future-ready economy that works for the people.
Moira Cronin is Digital Risk Partner at PwC Ireland