A statutory instrument giving further effect to the Digital Operational Resilience Act (DORA) in Ireland has been published.
The European Union (Digital Operational Resilience) (No. 2) Regulations 2025 (S.I. 20/2025) (Regulations) were signed by the Minister for Finance on 11 February 2025. While the Regulations complete implementation of DORA in Ireland, there are regulatory and implementing technical standards yet to be finalised at EU level with no indication as to when the technical standards will be published in final form and adopted by the European Commission.
Supervisory powers
For the purposes of Articles 26(9) and 32(5) of DORA, the Regulations designate the Central Bank of Ireland (Central Bank) as:
- the competent authority in Ireland responsible for matters relating to threat-led penetration testing in the financial sector
- the competent authority in Ireland whose staff member is the Irish high-level representative on the DORA Oversight Forum.
The Regulations also afford the Central Bank with all necessary powers to perform its functions and duties under DORA and the Regulations. The Central Bank is the competent authority for all DORA financial entities other than “institutions for occupational retirement provision” who are separately supervised by the Pensions Authority.
Enforcement powers
The Regulations amend the Central Bank Act 1942 (1942 Act) to enable the Central Bank to apply its administrative sanctions regime to a financial entity that is suspected of failing to comply with any of its obligations under DORA. This allows the Central Bank to investigate such suspected breaches and impose administrative sanctions on a financial entity found to be in breach, including but not limited to a caution, reprimand or a fine of up to €10 million or 10% of its annual turnover in the preceding financial year, whichever is higher.
The Central Bank also has the power to impose administrative sanctions on any individual who is found to have participated, while performing a controlled function (CF), in the commission of a breach of DORA by a financial entity, including but not limited to a direction imposing conditions on the performance of the CF role by the individual or a fine of up to €1 million.
These enforcement powers now sit alongside the enforcement tools that the Central Bank has under the Individual Accountability Framework.
For financial entities within the Senior Executive Accountability Regime (SEAR), DORA will now comprise a ‘prescribed contravention’ and fall within the ‘duty of responsibility’ of pre-approval controlled function (PCF) holders in such entities to take ‘reasonable steps’ to avoid the financial entity committing a contravention of its requirements.
For regulated financial entities who are not within the scope of SEAR, compliance with DORA and the roles that PCF or CF holders play in assisting with a financial entity’s compliance with its requirements could be relevant to whether those individuals have, for example, acted with ‘due skill, care and diligence’ and therefore complied with their individual obligations under the more general ‘Common Conduct Standards’.
Next steps
Notwithstanding that the Central Bank has indicated it will take an initial ‘Day 1 / Day 2’ approach to supervision of financial entities’ compliance with DORA, financial entities need to ensure that senior management and personnel performing PCF or CF roles are aware that financial entities can be subject to regulatory investigations and potential administrative sanctions for failure to comply with their obligations under DORA.
In addition, the Central Bank and European Supervisory Authorities have called out specific areas in respect of which they expect compliance without delay, namely, requirements relating to the registers of information on contractual arrangements with ICT third-party service providers and requirements relating to incident identification and reporting. For more information on the ‘Day 1 / Day 2’ approach and supervisors’ expectations, see our recent client insight here.
For further information on regulatory enforcement investigations and DORA, please contact Dario Dagostino, Partner, Patrick Brandt, Partner, Mark Devane, Partner, Chloe Culleton, Partner, Ciara Brady, Senior Associate, Louise Hogan, Senior Associate, Aisling Ennis, Associate, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team, or alternatively, visit ALG’s DORA Hub.
