
As of 17 January 2025, the Digital Operational Resilience Act (DORA) has officially come into effect.
The Central Bank of Ireland now expects that all Financial Entities are complaint with DORA or are in the process of implementing DORA compliance program and have a clear and comprehensive plan to close any gaps as soon as possible.
In a joint statement made in December, the European Supervisory Authorities reminded the sector that there will not be a transitional period and that the expectation is for financial entities to adopt a robust approach in a timely manner. However, with a number of the standards still under legislative scrutiny, it is to be expected that remediation projects are still ongoing.
Understanding DORA Compliance Requirements –
As the financial sector is increasingly dependent on technology and tech companies to deliver financial services, the aim of this EU legislation is for Financial Entities (FEs) including banks, investment firms and their third-party ICT providers to strengthen their IT security thereby preventing major cyber risks.
The Digital Operational Resilience Act covers:
ICT risk management - Principles and requirements on ICT risk management framework
ICT third-party risk management - Monitoring third-party risk providers
Digital operational resilience testing - Basic and advanced testing
ICT-related incidents - Reporting of major ICT-related incidents to competent authorities
Information sharing - Exchange of information and intelligence on cyber threats
Oversight of critical third-party providers - Oversight framework for critical ICT third-party providers
The Central Bank expects FEs to report major ICT-related incidents to the Central Bank from the 17 of January 2025.
DORA sets out the criteria Financial Entities (FEs) should use to classify and assess the impact of incidents, looking at a range of metrics such as number of clients/transactions affected, duration of the incident, geographical spread, criticality of services affected and data losses. These criteria are outlined here.
In addition, FEs need to have their registers of ICT third-party providers’ contractual arrangements available for the Central Bank by 4 April 2025 at these will need to be reported to the ESAs by 30 April 2025.
What To Do If You're Not Fully Compliant Yet
If your organisation is still working toward full DORA compliance, the first step is to conduct a compliance gap analysis to assess your current digital operational resilience framework against DORA’s requirements.
The next step is to develop a remediation plan and prioritise actions to address the most critical gaps such as incident reporting mechanisms or testing protocols. The CBI has stated that from 17 January, financial entities subject to the Digital Operational Resilience Act (DORA) will be obliged to submit reports on major ICT related incidents to the Central Bank where the required criteria and thresholds have been met. They provide key documents to support the financial entities in scope with the submission process. These documents can be found here.
You will also need to ensure your ICT providers are aligned with DORA standards and have contracts in place to reflect shared accountability. Strengthen your governance by implementing clear oversight and accountability structures to ensure continuous monitoring and improvement.
Acting now is critical. Non-compliance with DORA can lead to regulatory scrutiny, reputational damage, and potential penalties. Beyond avoiding these risks, aligning with DORA can significantly enhance your organisation’s operational resilience and customer trust.
How Johnson Hana Can Help
Johnson Hana can offer a full contract remediation solution for DORA. We have internal subject matter expertise, template amendment agreements, playbooks and FAQ documents ready to deploy. We use advanced search technology to review contracts and outreach technology to manage and track engagement with your ICT providers. We can offer reporting on progress and response levels.
Our methodology is to review existing ICT contracts to see where they are already compliant with DORA, so that amendment agreements are reduced in size and negotiation time is accordingly reduced. We aim to find the easiest route to compliance for our clients.
Additionally, for a quick solution Johnson Hana can offer an experienced legal professional to work within your organisation. They will be supported by Johnson Hana’s HQ team and materials.
Take action today to ensure your business is prepared. Whether you’re just starting your compliance journey or refining your existing frameworks, Johnson Hana’s team of experts is here to help.
Contact us to discuss your needs or schedule a consultation with our compliance specialists.
Additional reading on DORA is available at the links below: