IRELAND Law and Practice Contributed by: Keith Robinson, Barry Tyrrell and Julia Mullin, Dillon Eustace LLP
excluding traditional analogue telephone ser - vices. Certain key elements of DORA are as follows. • Financial entities must have an internal gov - ernance and control framework that ensures the effective and prudent management of ICT risks, to achieve a high level of digital opera - tional resilience. The entity’s management body bears the ultimate responsibility for managing its ICT risk, in particular defining, approving, overseeing and being responsible for the implementation of all arrangements related to the entity’s ICT risk management framework. • Financial entities must maintain and update an information register regarding all contrac - tual arrangements on the use of ICT services provided by ICT third-party service providers. DORA also sets out requirements for con - tractual arrangements with third-party service providers, and additional requirements for third-party services supporting “critical or important functions”. • Financial entities are required to report major ICT-related incidents to their competent supervisory authority and are encouraged to report significant cyber threats. The key obligations in respect of any incident report - ing are: (a) ICT-related incident management pro - cessing; (b) classification of ICT-related incidents and cyber threats; (c) reporting of major ICT-related incidents; and (d) voluntary notification of significant cyber threats. • Financial entities are required to ensure that contracts for ICT services include a descrip - tion of all the services and whether subcon -
tracting of an ICT service supporting a critical or important function is permitted and on what conditions. • Financial entities must establish, maintain, and review a sound and comprehensive digi - tal operational resilience testing programme as an integral part of the ICT risk manage - ment framework. DORA sets out prescriptive requirements in respect of: (a) testing of ICT tools and systems; (b) advanced testing of ICT tools, systems and processes based on threat-led pen - etration testing (“TLPT”); and (c) testers for carrying out TLPT. • Financial entities may exchange cyber threat information and intelligence amongst them - selves, provided such information and intel - ligence sharing: (a) aims to enhance the digital operational resilience of financial entities; (b) takes place within trusted communities of financial entities; and (c) protects the potentially sensitive nature of the information and complies with GDPR requirements. Compliance of Irish banks with DORA will be supervised by the CBI. Under DORA the CBI will have all supervisory, investigatory, and sanction - ing powers necessary to fulfil their supervisory duties, including the power: • to access, receive or take copy of any docu - ment or data in any form; • to carry out on-site inspections and investi - gations, including summoning individuals for explanations or interviews; and • to require corrective and remedial measures for breaches of DORA.
260 CHAMBERS.COM
Powered by FlippingBook