Editorial

Ireland Gears Up for DORA: What You Need to Know

Chris Lawless, Managing Consultant, and Liliana Hillebrand-Measures, Principal Consultant, bring their expert lens to the evolving regulatory landscape as Ireland prepares for the full implementation of the EU’s Digital Operational Resilience Act (DORA).

Contributor

Chris brings seven years of experience across Investment Banking, Private Banking, and Wealth Management to his role as a Managing Consultant.

Chris Lawless
Managing Consultant

With the EU’s Digital Operational Resilience Act (DORA) now fully in force since January 2025, Ireland’s financial sector is navigating a major regulatory shift. DORA establishes a harmonised framework for managing digital risks, focusing on (Information and Communication Technology) ICT disruptions and third-party dependencies. In this context, ICT refers to the systems, software, hardware, and communication technologies that underpin digital operations, ranging from cloud services and data centres to cybersecurity tools and external platforms.

What is DORA and what it says about CTPPs?

More than just another regulation, DORA is a strategic overhaul of digital risk management. It covers over 20 categories of financial firms—from banks and insurers to FinTech’s and payment services—demanding they can withstand and recover from digital threats.

This is particularly relevant in Ireland, where fintech innovation and reliance on global tech providers are central to the financial ecosystem.

A key feature of DORA is the creation of CTPPs—third-party tech providers deemed essential to financial stability. Think cloud platforms, cybersecurity vendors, and data providers. These firms will soon face direct scrutiny from EU regulators.

CTPPs will be designated through a two-step process using both hard data (like market share) and soft factors (like interdependencies). Once labelled, they’ll answer to Joint Examination Teams (JETs) led by EU supervisory authorities, backed by the Central Bank of Ireland.

What ICT CTPP Providers Need to Know

CTPPs, even those based outside the EU, must establish a legal presence within it.  

They’ll need to:

  • Delivering timely access to critical data: Ensure regulators can swiftly access operational and security-related information, including cybersecurity protocols, incident logs, and resilience testing outcomes.
  • Facilitating on-site inspections: Be inspection-ready by allowing EU authorities physical access to premises, systems, and data—anytime, even without prior notice.
  • Engaging through empowered leadership: Appoint senior EU-based executives who are fully equipped to collaborate with regulators and drive compliance from the top.
  • Managing oversight and reporting obligations: Seamlessly handle regulatory fees and provide transparent financial reporting to support ongoing supervision.

For global providers serving Irish firms, the message is clear: get ready or risk disruption.

The Oversight Timeline: What’s Next?

  • In line with the Digital Operational Resilience Act (DORA), oversight of critical third-party providers (CTPPs) will become more structured and proportionate.
  • CTPPs will have begun to share the cost of oversight equally.  
  • From 2026 onwards, supervisory fees will be calibrated based on each provider’s annual turnover.
  • An additional fixed fee of €50,000 will apply to providers that voluntarily opt in for designation as ‘critical’.

Here’s how the remainder of 2025 is expected to progress:

  • April–May: Data collection and criticality assessments
  • June–July (imminent): Notifications issued to identified CTPPs
  • August–September: Final critical designations confirmed
  • October–December: Full regulatory oversight begins

Irish financial entities and all firms within the EU perimeter should already be assessing their reliance on digital service providers and preparing for the operational resilience requirements under DORA.

Resilience isn’t optional, it’s operational.

DORA marks a seismic shift in digital regulation—and a massive opportunity for Ireland. With its thriving tech sector and global connectivity, Ireland can lead in operational resilience.

But time is short. Financial institutions must:

  • Map their ICT dependencies
  • Assess provider readiness
  • Align internal governance

How Delta Capita Can Help - We don’t just help you comply—we help you lead. Delta Capita is your partner for DORA including TPRM readiness. Here’s how we support your journey:

  • Health check – A comprehensive review process, providing clear insight from gap analysis and a plan to achieve compliance  
  • ICTs (DORA) & CTPs (Ops. Res) Risk Management Governance Framework Review & Redesign
  • Identification of critical & important business services and associated tolerances using our pre-built questionnaires
  • End-to-End mapping of business service delivery supply chain including 3rd, 4th and 5th party dependencies  
  • Scenario development and testing  
  • Remediation requirements gathering & execution support
  • DORA Third Party Risk Management and Compliance Monitoring as a managed service

Editorial

See more insights from the Delta Capita team

The AI Maturity Shift: Rethinking AI-Driven Onboarding in Capital Markets

Sean Vickers, Global Head of CLM Advisory, and Niamh Kingsley, Head of Product Innovation & Artificial Intelligence, share their global perspective on how AI is reshaping onboarding and Client Lifecycle Management across Capital Markets. Drawing on their experience at the forefront of innovation, they explore the opportunities and complexities firms face as they strive to turn intelligent automation into real-world impact.

Countdown to AMLAR compliance: the EBA’s draft technical standards

With the 6th of June 2025 deadline for feedback on the European Banking Authority’s (EBA) latest draft Regulatory Technical Standards (RTS) fast approaching, financial institutions are under pressure to evaluate the first of the strategic and operational implications of sweeping anti-money laundering reforms. 

Innovating Model Validation Processes for Retail Credit Risk Models: Embracing Automation and Efficiency

Model validation processes can often be time-consuming and resource intensive. However, by leveraging advanced automation techniques and efficient workflows, financial institutions can significantly enhance the efficiency of model validation across its lifecycle. Key focus areas include categorising structured and unstructured data, assessing data quality and standardising model inputs, ultimately enabling timely monitoring improving validation accuracy. This article explores innovative strategies to streamline model validation for retail credit risk models, with a focus on automated steps and efficiency improvements.

What can we help you achieve?

Start something great
arrow_forward

Looking for a career change?

View our opportunities
arrow_forward

What can we help you achieve?

Start something great
arrow_forward

Looking for a career change?

View our opportunities
arrow_forward
We use cookies to improve your experience and deliver personalized content. By using our website, you agree to our Cookie Policy.
Got it