Irish companies have been described as being "a mixed bag" when it comes to implementing tough new EU laws around protecting financial institutions from cyber attacks.

The new Digital Operational Resilience Act (DORA), came into effect on Friday, January 17th, 2025. 

Its aim is to safeguard EU-based financial institutions such as banks, insurance companies and investment firms from cyber attacks and Information and Communication Technology (ICT) risks. 

Experts say companies will now need to look at improving ICT and security risk management, streamline incident response and report, test resilience and actively oversee third parties they deal with who may operate outside the EU. 

The new laws mean firms are now expected to "anticipate, respond, recover, learn and evolve to any breach of their systems".

Ms Moira Cronin, Digital Risk Partner, PwC Ireland, said: “Many of the comments that we have heard in the last 24 months since the release of this legislation have been that the regulation is impractical, it’s a barrier for financial services  firms operating in the EU and it's creating onerous requirements for firms to adhere to in order to be compliant with yet 'another regulation'.

"But if we stand back for a second and look at the spirit of the legislation - what it is actually trying to do?

"At its core, it is pushing individual firms to own the risks associated with the resilience of their full ecosystem and be accountable to its customers and stakeholders. 

"It is also pushing them  to understand the potential impact an ICT outage and a cyber attack can have on not only their own entity but the EU financial services  market as a whole.

"It calls for the proactive management of  these risks which ultimately is for the greater good of the financial services industry and the customers it serves." 

She added: “DORA is a very welcome development for enhanced digital resilience but firms need to look at the risk environment within their own ecosystem and ensure the services they provide to their customers are resilient.

"They need to stop looking at the regulation as compliance and rather use it as an enabler for greater resilience and use it to transform their digital risk culture.”

However, despite knowing the new legislation was going to be introduced not all Irish firms are ready for it.

 “We have certainly seen a real 'mixed bag' of readiness in Ireland in relation to DORA," Ms Cronin explained.

"We see financial firms who are on a journey to compliance having done their gap assessments, roadmaps and are actively implementing changes and others, unfortunately, who are in a less prepared position."

She said the companies that were in the “honours class” are helping to drive a cultural change and will ultimately lead to a competitive advantage for these ‘early mover’ organisations.

Ms Cronin concluded: “These ‘top of the class’ organisations have embraced DORA not as an additional regulatory constraint but as an opportunity to differentiate themselves in the market by strengthening their operational resilience to IT, cybersecurity, business continuity and risks related to third parties.”