Empty Link Skip to Content

Understanding the interaction between DORA and the Central Bank's Operational Resilience Guidance

Operational Resilience Toolkit PDF | 4.12 MB

In Matheson LLP's Insight entitled "Early Christmas gift from Europe – DORA is adopted", the recent adoption of DORA by the Council of the European Union is discussed. This development has left many financial services entities querying the interplay between DORA and the Central Bank of Ireland's (the "Central Bank") Cross Industry Guidance on Operational Resilience (the "Guidance") published in December 2021.

The Guidance sets out the Central Bank’s expectations of firms in terms of implementing an effective operational resilience framework. The Guidance is based on 15 Guidelines framed around three pillars of operational resilience:

  1. Identify and Prepare;
  2. Respond and Adapt; and
  3. Recover and Learn.

Crucially, the Guidance relates to resilience in respect of all types of operational disruptions, not just digital operational disruptions. Although, it does specifically address digital operational resilience under Pillar 1, Guidelines 8 and 9.  Helpfully, anticipating the adoption of DORA, the Central Bank noted in its feedback statement to the consultation paper on the draft Guidance, that same was "in line with international best practice and compatible with and complementary to DORA" and that it had "determined that there are no contradictions between this Guidance and the forthcoming DORA regulation". The Central Bank also committed to "continue to update and align the intended outcomes of our supervisory approach with relevant international operational resilience policy developments as they evolve" and "monitor international developments after the issuance of this Guidance, including any updates to ICT & Cyber Resilience best practices". Consequently, on the face of it, any work being carried out by firms in preparation for the 1 December 2023 deadline for compliance with the Guidance, will be compatible and complementary to any work required to demonstrate compliance with the obligations under DORA in due course.  It should however be flagged that we anticipate that the level of work required to ensure compliance under DORA will likely exceed that required under Guidelines 8 and 9, particularly in terms of specificity of actions.

Matheson Operational Resilience Toolkit

In response to this ongoing focus on operational resilience, Matheson LLP's Financial Institutions Group and Asset Management Department have produced an Operational Resilience Toolkit to assist clients with the application of the Central Bank's operational resilience expectations as firms navigate this space over the coming months to ensure compliance with the 1 December 2023 deadline.

We hope you find the Matheson LLP Operational Resilience Toolkit useful and that it becomes your go to resource for Operational Resilience going forward. We recommend that this Operational Resilience Toolkit be reviewed by firms alongside our earlier Outsourcing Toolkit (available here).

This article was co-authored by partners Joe Beashel, Louise Dobbyn, Darren Maher, Gráinne Callanan, Niamh Mulholland, Elaine Long and professional support lawyer Claire Scannell. Should you have any queries in respect of the materials included in the Matheson LLP Operational Resilience Toolkit or in respect of compliance with the Guidance and DORA, please do not hesitate to contact a member of the team or your usual Matheson contact.