The Digital Operational Resilience Act has applied across the EU since 17 January 2025. Every bank, insurer, investment firm, and crypto asset provider operating in Ireland is in scope, and so are the IT vendors they depend on. A year in, most Irish firms have written the policies. Far fewer can prove they actually work.
The Central Bank of Ireland is now asking for evidence, not intentions. Here is where the gaps usually sit.
ICT Risk Management
DORA expects a documented framework covering identification, protection, detection, response, and recovery. If your asset register is a spreadsheet last updated in 2023, that is a finding. Map every critical system and the data that flows through it.
Incident Reporting
Major ICT incidents must be reported to the competent authority on tight deadlines, with an initial notification, an intermediate update, and a final root cause report. Most firms have never run this end to end. Test it before a real incident does it for you.
Resilience Testing
Annual testing is mandatory, and the largest entities face threat led penetration testing every three years. A vulnerability scan is not a substitute. Scope realistic attack scenarios against your production critical services.
Third Party Risk
Your cloud provider, your core banking platform, and your managed SOC all count as ICT third parties. DORA wants a register of them, contractual exit strategies, and concentration risk analysis. Single provider dependence is the first question a regulator asks.
What To Do Now
Run a gap assessment against the five pillars. Prioritise incident reporting rehearsals and the third party register. Brief the board, because under DORA the management body is accountable and that accountability is personal.
Written by Shreesh, Shamrock Security