In Matheson LLP's Insight entitled "Early Christmas gift from Europe – DORA is adopted", the recent adoption of DORA by the Council of the European Union is discussed. This development has left many financial services entities querying the interplay between DORA and the Central Bank of Ireland's (the "Central Bank") Cross Industry Guidance on Operational Resilience (the "Guidance") published in December 2021.

The Guidance sets out the Central Bank's expectations of firms in terms of implementing an effective operational resilience framework. The Guidance is based on 15 Guidelines framed around three pillars of operational resilience:

  1. Identify and Prepare;
  2. Respond and Adapt; and
  3. Recover and Learn.

Crucially, the Guidance relates to resilience in respect of all types of operational disruptions, not just digital operational disruptions. Although, it does specifically address digital operational resilience under Pillar 1, Guidelines 8 and 9. Helpfully, anticipating the adoption of DORA, the Central Bank noted in its feedback statement to the consultation paper on the draft Guidance, that same was "in line with international best practice and compatible with and complementary to DORA" and that it had "determined that there are no contradictions between this Guidance and the forthcoming DORA regulation". The Central Bank also committed to "continue to update and align the intended outcomes of our supervisory approach with relevant international operational resilience policy developments as they evolve" and "monitor international developments after the issuance of this Guidance, including any updates to ICT & Cyber Resilience best practices". Consequently, on the face of it, any work being carried out by firms in preparation for the 1 December 2023 deadline for compliance with the Guidance, will be compatible and complementary to any work required to demonstrate compliance with the obligations under DORA in due course. It should however be flagged that we anticipate that the level of work required to ensure compliance under DORA will likely exceed that required under Guidelines 8 and 9, particularly in terms of specificity of actions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.