DORA Compliance for Irish SMEs

DORA is now in force across the EU. Irish financial sector SMEs and their ICT suppliers face concrete obligations. This guide explains the four pillars, who's in scope, and where to start.

DORA Compliance for Irish SMEs: What the Digital Operational Resilience Act Actually Requires

The Digital Operational Resilience Act — DORA — came into full effect on 17 January 2025. Enforcement is now live, and if your Irish business operates in or around the financial sector, you need to understand your obligations. This is not a future problem. Regulators are active, and the scope is broader than most people expect.

What DORA Actually Is

DORA is an EU regulation (2022/2554) designed to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions. The underlying logic is straightforward: modern financial services run on technology, and a fragmented patchwork of national IT risk rules creates systemic gaps. DORA standardises the floor.

It sits alongside NIS2 but is sector-specific and directly applicable — no national transposition required. Where NIS2 sets broad cybersecurity obligations for critical sectors, DORA goes deeper into operational resilience for financial services and their technology supply chains. If you are subject to both, DORA takes precedence for ICT risk management obligations in the financial domain.

Who Is in Scope

The regulation covers a wide range of financial entities operating in Ireland and across the EU:

  • Credit institutions and payment institutions
  • Electronic money institutions
  • Investment firms and fund managers (AIFMs, UCITS management companies)
  • Insurance and reinsurance undertakings
  • Crypto-asset service providers (CASPs)
  • Trading venues and central counterparties
  • Credit rating agencies and audit firms (in certain contexts)

That list alone covers a significant portion of Ireland's IFSC and broader domestic financial sector.

Where Irish SMEs often get caught out is in the third-party ICT provider provisions. If your company provides software, cloud hosting, managed IT services, data analytics, or any technology service to a regulated financial entity, DORA places contractual and operational obligations on you — even though you are not a financial entity yourself.

Specifically, financial entities must now include mandatory clauses in contracts with ICT suppliers covering: access and audit rights, incident notification timelines, business continuity expectations, and exit strategies. If your current contracts with financial sector clients do not contain these clauses, your clients may already be in breach, and they will be coming to you to fix it.

The Four Core Obligation Pillars

1. ICT Risk Management

Financial entities must maintain a comprehensive ICT risk management framework — documented policies, asset inventories, classification schemes, and controls. They must identify and manage ICT risks continuously, not just at audit time. For many smaller regulated entities, this is a significant step up from what they have today.

2. ICT-Related Incident Reporting

DORA introduces a harmonised incident classification and reporting regime. Major ICT incidents must be reported to the Central Bank of Ireland (the national competent authority for most regulated entities) within defined timescales: an initial notification within four hours of classification, an intermediate report within 72 hours, and a final report within one month. The classification criteria are specific — organisations need to be able to assess incidents against them quickly.

3. Digital Operational Resilience Testing

Financial entities must conduct regular ICT testing. Basic testing (vulnerability assessments, network scanning) is mandatory for all in-scope entities. Significant entities — those with systemic importance — are required to conduct Threat-Led Penetration Testing (TLPT) every three years, using certified testers and following the TIBER-EU framework. Irish regulators have been building out TIBER-IE capacity in parallel.

4. Third-Party ICT Risk Oversight

This is the most operationally complex pillar. Financial entities must maintain a register of all ICT third-party service providers, assess them on an ongoing basis, and ensure contracts meet DORA's mandatory provisions. For critical third-party providers (designated at EU level), the European Supervisory Authorities can directly oversee and inspect.

How DORA Relates to NIS2

If you are already working through NIS2 compliance, much of the groundwork transfers. Risk management frameworks, incident response procedures, supply chain controls, and governance structures are common requirements. The material difference is depth and specificity: DORA goes further on testing, incident classification, and contractual obligations with suppliers.

A practical way to think about it: NIS2 sets the minimum floor for critical entities. DORA raises that floor significantly for financial services and adds structural requirements that NIS2 does not contemplate, such as TLPT and the detailed third-party register.

For an Irish SME that is both a NIS2 entity (as an ICT supplier in a critical sector) and a DORA-regulated financial entity, you are subject to both. Document your compliance activities carefully — evidence that satisfies one often satisfies the other.

What the Central Bank Expects

The Central Bank of Ireland is the competent authority for most DORA obligations in Ireland. They have been clear that they expect regulated firms to have completed gap assessments and to be in an active remediation programme. Firms that cannot demonstrate awareness and progress are at risk of supervisory engagement.

The CBI's supervisory approach for smaller regulated entities is risk-proportionate — they are not expecting a 50-person credit union to have the same DORA programme as a major bank. But proportionality does not mean exemption. The core framework obligations apply to all in-scope entities regardless of size.

Practical First Steps for an Irish SME

Whether you are a small regulated financial entity or an ICT supplier to one, the starting point is the same:

Step 1: Confirm your scope. Are you a DORA-regulated entity, an ICT supplier to one, or both? The answer determines which obligations land on you directly versus contractually.

Step 2: Gap assessment. Map your current ICT risk management practices, incident response procedures, and supplier contracts against DORA requirements. Be honest about the gaps.

Step 3: Address the contract gap. If you supply ICT services to financial entities, review your master services agreements now. Your clients will be auditing supplier contracts — being ahead of that request is better than scrambling to respond.

Step 4: Build your incident classification capability. DORA's reporting timelines are tight. Four hours to initial notification means you need a classification process that runs without lengthy committee deliberation.

Step 5: Schedule your testing programme. Even basic DORA-required testing needs to be planned, resourced, and documented.

None of these steps are trivial, especially for organisations that have not previously operated under a structured ICT risk framework. A virtual CISO can accelerate the gap assessment, prioritise remediation, and produce the documentation regulators expect to see — without the cost of a permanent hire.

DORA enforcement is live. The question is not whether to comply; it is how quickly you can close the gap between where you are today and where the regulation requires you to be.


James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.