Digital Operational Resilience Act (DORA)

On 27 December 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the EU. This includes a Regulation and a Directive on digital operational resilience for the financial sector. DORA has been in application since 17 January 2025.

DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland. DORA brings together provisions addressing digital operational risk in the financial sector in a consistent manner in one single legislative act.

Relevant to regulated financial service providers, it introduces targeted rules on:

• Information and Communication Technology (ICT) risk management
• ICT-related incident management, classification and reporting
• Digital operational resilience testing
• Management of ICT third-party risk (including the introduction of an oversight framework for critical ICT third-party service providers)
• Information sharing arrangements. 

The DORA regulation is supplemented by (and should be read in conjunction with) the relevant implementing and delegated acts adopted by the European Commission and guidelines and information published by the European Banking Authority the European Insurance and Occupational Pensions Authority and European Securities and Markets Authority.

Financial Entities should monitor updates from the Central Bank of Ireland's DORA Communications and Publications page and relevant supervisory authorities on their respective websites.

Information and Communication Technology Self-Assessment tool

The Information and Communication Technology Self-Assessment Tool (ICT-SAT) is a structured framework which helps Central Bank of Ireland assess how well regulated entities manage ICT risks and protect their operations, as required by the Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554.

ICT-SAT improves transparency and consistency by allowing firms to:

• Evaluate their own ICT governance and controls
• Compare their maturity against industry standards
• Assess their digital operational resilience.

ICT-SAT follows DORA requirements and industry best practices. We update it regularly as regulations and standards evolve. When firms complete the questionnaire, we use their responses to tailor our supervision to their size and complexity. This helps us to understand their ICT risk management and operational vulnerabilities.

Further Reading & Useful Links

• The Regulation and a Directive on digital operational resilience for the financial sector;
• DORA Communications and Publications 
• DORA - frequently asked questions
• Reporting Major ICT-related Incidents and Significant Cyber Threats under DORA
• European Supervisory Authorities' Statement on DORA Application
• "Implementing DORA - Achieving enhanced digital operational resilience in European financial services" - Remarks by Gerry Cross, Director of Financial Regulation, Policy & Risk
• The European Supervisory Authorities’ Joint Q&As on the interpretation and application of DORA
• DORA implementing and delegated acts adopted by the European Commission

Updated: 29 January 2026