DORA Compliance Status: Compliant
Effective Date: January 17, 2025 | Last Assessment: November 2025 | Next Review: February 2026
Active Compliance
Requirement Coverage
97.4%
38/39 requirements met
System Uptime
99.98%
last 12 months
Mean Time to Recovery
28 minutes
average resolution time
Major Incidents
0
in the last 12 months
DORA Compliance Pillars
| Pillar | Articles | Description | Requirements | Implemented | Status |
|---|---|---|---|---|---|
ICT Risk Management | Articles 5-16 | Framework for managing ICT-related risks across the organization | 12 | 12 | Compliant |
ICT-Related Incident Management | Articles 17-23 | Classification, reporting, and response to ICT incidents | 8 | 8 | Compliant |
Digital Operational Resilience Testing | Articles 24-27 | Testing programs including threat-led penetration testing | 6 | 5 | Partial |
ICT Third-Party Risk Management | Articles 28-44 | Managing risks from ICT third-party service providers | 10 | 10 | Compliant |
Information Sharing | Article 45 | Cyber threat intelligence and information sharing arrangements | 3 | 3 | Compliant |
| Total | 39 | 38 | 97.4% |
ICT Systems
Asset Inventory
Complete
Critical Systems Identified12
Configuration Management
Active
Change Management
Enforced
Incident Response
Response Plan
Documented
Classification Framework
Active
Communication Procedures
Defined
Root Cause Analysis
Required
Data Protection
Data Classification
Complete
Encryption at Rest
AES-256
Backup Strategy
3-2-1
Data Retention
Compliant
Critical & Important ICT Third-Party Providers
| Provider | Service | Criticality | Location | Contract End | Last Assessment | Risk |
|---|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud Infrastructure | Critical | EU (Frankfurt) | December 2027 | October 2025 | Low |
| Microsoft Azure | Disaster Recovery | Critical | EU (Amsterdam) | June 2026 | September 2025 | Low |
| Refinitiv | Market Data | Important | UK (London) | March 2026 | August 2025 | Low |
| Bloomberg | Trading & Analytics | Important | US (New York) | December 2025 | November 2025 | Low |
| Cloudflare | DDoS Protection & CDN | Important | Global | September 2026 | July 2025 | Low |
Digital Operational Resilience Testing Schedule
| Test Type | Frequency | Last Test | Next Test | Status |
|---|---|---|---|---|
| Vulnerability Assessment | Monthly | November 2025 | December 2025 | On Track |
| Penetration Testing | Quarterly | October 2025 | January 2026 | On Track |
| Threat-Led Penetration Testing (TLPT) | Triennial | July 2025 | July 2028 | Completed |
| Disaster Recovery Test | Semi-Annual | September 2025 | March 2026 | On Track |
| Business Continuity Exercise | Annual | June 2025 | June 2026 | On Track |
Recent ICT Incidents
API latency spike (95th percentile > 500ms)
November 5, 2025 | Duration: 45 minutes
Minor
Resolved
Database failover triggered during maintenance
October 12, 2025 | Duration: 12 minutes
Minor
Resolved
Proactive patching - zero downtime deployment
September 28, 2025 | Duration: 0 minutes
Maintenance
Completed
DORA Regulatory Reporting Requirements
Major ICT Incident Reporting
Major ICT-related incidents must be reported to the competent authority (NCA) within prescribed timeframes: Initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month.
Register of ICT Third-Party Providers
Maintain and submit a register of information on all contractual arrangements with ICT third-party service providers, identifying critical or important functions supported.
Threat-Led Penetration Testing
Significant financial entities must conduct advanced testing using TIBER-EU framework at least every 3 years, with results reported to the competent authority.
Competent Authority
- Primary NCA: Irish Central Bank (CBI)
- Lead Overseer: European Supervisory Authorities (ESAs)
- DORA Reporting Portal: Active
- Last Submission: November 2025
Key Deadlines
- ICT Third-Party Register: Annual (Q1)
- TLPT Report: Every 3 years (Next: 2028)
- ICT Risk Framework Review: Annual
- Incident Classification Report: On occurrence