Key Facts
Applicable since
17 January 2025
Irish regulator
Central Bank of Ireland
The Digital Operational Resilience Act has applied to financial entities across the EU since 17 January 2025. For Irish banks, insurers, investment firms, payment institutions, and a wide range of other financial entities, DORA compliance is not a future obligation. It is a current one. This checklist covers the core obligations and what the Central Bank of Ireland expects.
Who Is In Scope?
DORA applies to over twenty types of financial entities under Article 2. If you are regulated by the Central Bank of Ireland and provide financial services, you are almost certainly in scope.
Crypto-asset service providers
ICT Risk Management — Articles 5 to 15
The foundation of DORA compliance is a documented ICT risk management framework. Under Article 5, your management body bears direct responsibility — they must approve it, review it annually, and receive regular ICT risk reporting.
Art. 5 — Governance
Board-approved ICT risk framework, reviewed at least annually
Art. 8 — Asset Register
All ICT assets identified and classified by criticality
Art. 9 — Access Controls
Documented and enforced access control policies
Art. 10 — Detection
Mechanisms to identify anomalous activities in real time
Art. 11 — Business Continuity
Documented BCP covering ICT disruption and cyber incidents
Art. 13 — Learning
Post-incident review and framework improvement process
Incident Reporting — Articles 17 to 23
If an incident is classified as major under Article 18, Article 19 imposes a three-stage reporting obligation to the Central Bank of Ireland.
Stage 1
Initial Notification
Within 4 hours of classification
Stage 2
Intermediate Report
Within 72 hours
Stage 3
Final Report
Within 1 month of resolution
Common gap identified in assessments
Many Irish financial entities lack documented incident classification procedures and have not tested their reporting workflows. These are among the most frequently identified DORA gaps.
Third-Party ICT Risk — Articles 28 to 44
Third-party risk is one of the most resource-intensive areas of DORA compliance. Under Article 30, all contracts with ICT providers for critical functions must include specific mandatory provisions.
Full service description and SLAs
Data location and processing details
Audit rights and regulator access
Incident notification timelines
Exit provisions and data portability
Sub-outsourcing restrictions
Register of Information — immediate priority
The Register of Information submission window closed in March 2026. If you have not submitted your RoI to the Central Bank of Ireland, this is an immediate compliance priority.
Morclear's DORA Gap Assessment covers all applicable obligations across Articles 5 to 44, producing a scored report with RAG ratings and a prioritised remediation roadmap in two weeks for a fixed fee of 999 euro.
Where does your organisation stand on DORA?
Book a free 30-minute scoping call with the Morclear team. We will assess your current DORA position and tell you exactly what needs to happen.
Book Free Scoping Call
No commitment required · First call free