ARTICLE
24 January 2025

Navigating DORA: Key Compliance Steps From 17 January 2025

W
Walkers

Contributor

Walkers is a leading international law firm which advises on the laws of Bermuda, the British Virgin Islands, the Cayman Islands, Guernsey, Ireland and Jersey. From our 10 offices, we provide legal, corporate and fiduciary services to global corporations, financial institutions, capital markets participants and investment fund managers.
The Digital Operational Resilience Act (DORA) applies to certain financial entities from today – 17th January 2025.
Ireland Finance and Banking

key takeaways

  • DORA is now applicable, imposing requirements in respect of ICT risk management and digital operational resilience.

  • Firms should be preparing their register of information ready for sharing with the CBI in April.

  • Reporting major ICT-related incidents is now mandatory within specified timeframes.

The Digital Operational Resilience Act (DORA) applies to certain financial entities from today – 17th January 2025.

DORA aims to ensure that financial entities operating in the EU financial services industry can withstand, respond to and recover from all types of information and communication technology (ICT)-related disruptions and threats.

Starting today, national competent authorities (NCAs) such as the Central Bank of Ireland (CBI) will initiate their supervision of DORA. This includes conducting reviews to assess compliance along with gathering and verifying information requested by the European Supervisory Authorities (ESAs).

Following on from today's application date, the next significant deadline for firms is the submission of their register of information to their NCA who must submit this to the ESAs on 30 April 2025. Consequently, firms should be preparing their register of information ready for sharing in April. In its Industry Briefing on 6 November 2024, the CBI stated that it would seek to collect registers on the first week of April 2025.

Firms are also required to report major ICT-related incidents within specified timeframes on the determination of classifying an incident as major, and this was flagged as a key item for today's application date by the CBI.

Lastly, a number of firms will be designated by their NCA to conduct threat-led penetration testing. This designation will be communicated to the firms by their respective NCA. These firms must comply with additional advanced testing of their digital operational resilience.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More