S.I. No. 12/2025 - European Union (Digital Operational Resilience) Regulations 2025
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 24th January, 2025. | ||
The Minister for Finance, in exercise of the powers conferred on him by section 3 of the European Communities Act 1972 (No. 27 of 1972) and for the purpose of giving effect to Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 20221 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector, hereby makes the following regulations: | ||
Citation and commencement | ||
1. (1) These Regulations may be cited as the European Union (Digital Operational Resilience) Regulations 2025. | ||
(2) These Regulations shall come into operation on 17 January 2025. | ||
Amendment of European Communities (Undertakings for Collective Investment in Transferable Securities) Regulations 2011 | ||
2. Regulation 22 of the European Communities (Undertakings for Collective Investment in Transferable Securities) Regulations 2011 ( S.I. No. 352 of 2011 ) is amended, in paragraph (2), by the substitution of the following subparagraph for subparagraph (a): | ||
“(a) has sound administrative and accounting procedures, control and safeguard arrangements for electronic data processing, including with regard to network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 20222 , as well as adequate internal control mechanisms, including, in particular, rules for personal transactions by its employees or for the holding or management of investments in financial instruments in order to invest on its own account and ensuring, at least, that each transaction involving the UCITS may be reconstructed according to its origin, the parties to it, its nature, and the time and place at which it was effected and that the assets of the UCITS managed by the management company are invested according to the fund rules or the instruments of incorporation and the legal provisions in force, and”. | ||
Amendment of European Union (Alternative Investment Fund Managers) Regulations 2013 | ||
3. Regulation 19 of the European Union (Alternative Investment Fund Managers) Regulations 2013 ( S.I. No. 257 of 2013 ) is amended by the substitution of the following paragraph for paragraph (2): | ||
“(2) In particular, the Bank, having regard also to the nature of the AIFs managed by the AIFM, shall require that the AIFM has sound administrative and accounting procedures, control and safeguard arrangements for electronic data processing, including with regard to network and information systems that are set up and managed in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 20222 , as well as adequate internal control mechanisms, including, in particular, rules for personal transactions by its employees or for the holding or management of investments in order to invest on its own account and ensuring, at least, that each transaction involving the AIFs may be reconstructed according to its origin, the parties to it, its nature, and the time and place at which it was effected and that the assets of the AIFs managed by the AIFM are invested in accordance with the AIF rules or instruments of incorporation and the legal provisions in force.”. | ||
Amendment of European Union (Capital Requirements) Regulations 2014 | ||
4. The European Union (Capital Requirements) Regulations 2014 ( S.I. No. 158 of 2014 ) are amended – | ||
(a) in Regulation 3(1), by the insertion of the following definition: | ||
“ ‘DORA Regulation’ means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 20222 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011;”, | ||
(b) in Regulation 53, by the substitution of the following subparagraph for subparagraph (f): | ||
“(f) third parties to whom the entities referred to in subparagraphs (a) to (d) have outsourced operational functions or activities, including ICT third-party service providers referred to in Chapter V of the DORA Regulation,”, | ||
(c) in Regulation 61(1)(c) – | ||
(i) in clause (i), by the substitution of “procedures,” for “procedures, and”, | ||
(ii) in clause (ii), by the substitution of “risk management, and” for “risk management.”, and | ||
(iii) by the insertion of the following clause after clause (ii): | ||
“(iii) network and information systems that are set up and managed in accordance with the DORA Regulation.”, | ||
(d) in Regulation 73, by the substitution of the following paragraph for paragraph (3): | ||
“(3) Institutions shall have adequate contingency and business continuity policies and plans, including ICT business continuity policies and plans and ICT response and recovery plans for the technology they use for the communication of information, and that those plans are established, managed and tested in accordance with Article 11 of the DORA Regulation, in order to allow institutions to keep operating in the event of severe business disruption and limit losses incurred as a consequence of such disruption.”, | ||
and | ||
(e) in Regulation 85(1) – | ||
(i) in subparagraph (c), by the substitution of “institution’s activities;” for “institutions activities.”, and | ||
(ii) by the insertion of the following subparagraph after subparagraph (c): | ||
“(d) risks revealed by digital operational resilience testing in accordance with Chapter IV of the DORA Regulation.”. | ||
Amendment of European Union (Bank Recovery and Resolution) Regulations 2015 | ||
5. The European Union (Bank Recovery and Resolution) Regulations 2015 ( S.I. No. 289 of 2015 ) are amended – | ||
(a) in Regulation 3(1), by the insertion of the following definition: | ||
“ ‘DORA Regulation’ means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 20222 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011;”, | ||
(b) in Regulation 18(2) – | ||
(i) by the substitution of the following subparagraph for subparagraph (c): | ||
“(c) a demonstration of how critical functions and core business lines could be legally and economically separated, to the extent necessary, from other functions so as to ensure continuity and digital operational resilience upon the failure of the institution;”, | ||
and | ||
(ii) by the substitution of the following subparagraph for subparagraph (q): | ||
“(q) a description of essential operations and systems for maintaining the continuous functioning of the institution’s operational processes, including network and information systems as referred to in the DORA Regulation;”, | ||
and | ||
(c) in the Schedule – | ||
(i) in Part 1, by the substitution of the following paragraph for paragraph 16: | ||
“16. arrangements and measures necessary to maintain the continuous functioning of the institution’s operational processes, including network and information systems that are set up and managed in accordance with the DORA Regulation;”, | ||
(ii) in Part 2 – | ||
(I) by the substitution of the following paragraph for paragraph 14: | ||
“14. an identification of the owners of the systems identified in paragraph (13), service level agreements related thereto, and any software and systems or licenses, including a mapping to their legal entities, critical operations and core business lines, as well as an identification of critical ICT third-party service providers as defined in Article 3, point (23), of the DORA Regulation;” | ||
and | ||
(II) by the insertion of the following paragraph after paragraph 14 (amended by clause (I)): | ||
“14A. the results of institutions’ digital operational resilience testing under the DORA Regulation;”, | ||
and | ||
(iii) in Part 3 – | ||
(I) by the substitution of the following paragraph for paragraph 4: | ||
“4. the extent to which the service agreements, including contractual arrangements on the use of ICT services, that the institution maintains are robust and fully enforceable in the event of resolution of the institution;” | ||
and | ||
(II) by the insertion of the follow paragraph after paragraph 4 (amended by clause (I)): | ||
“4A. the digital operational resilience of the network and information systems supporting critical functions and core business lines of the institution, taking into account major ICT-related incident reports and the results of digital operational resilience testing under the DORA Regulation;”. | ||
Amendment of European Union (Insurance and Reinsurance) Regulations 2015 | ||
6. Regulation 44 of the European Union (Insurance and Reinsurance) Regulations 2015 ( S.I. No. 485 of 2015 ) is amended by the substitution of the following paragraph for paragraph (9): | ||
“(9) The undertaking shall take reasonable steps to ensure continuity and regularity in the performance of its activities, including the development of contingency plans and for that purpose it shall employ appropriate and proportionate systems, resources and procedures, and shall, in particular, set up and manage network and information systems in accordance with Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 20222 .”. | ||
Amendment of European Union (Markets in Financial Instruments) Regulations 2017 | ||
7. The European Union (Markets in Financial Instruments) Regulations 2017 ( S.I. No. 375 of 2017 ) are amended – | ||
(a) in Regulation 3(1), by the insertion of the following definition: | ||
“ ‘DORA Regulation’ means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 20222 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011;”, | ||
(b) in Regulation 23(1) – | ||
(i) by the substitution of the following subparagraph for subparagraph (f): | ||
“(f) take reasonable steps to ensure continuity and regularity in the performance of investment services and activities for those purposes shall employ appropriate and proportionate systems, including information and communication technology (‘ICT’) systems that are set up and managed in accordance with Article 7 of the DORA Regulation, as well as appropriate and proportionate resources and procedures,”, | ||
(ii) in subparagraph (i) – | ||
(I) in clause (ii), by the substitution of “mechanisms, and” for “mechanisms,”, | ||
(II) in clause (iii), by the substitution of “risk assessment.” for “risk assessment, and”, | ||
and | ||
(III) by the deletion of clause (iv), | ||
and | ||
(iii) by the substitution of the following subparagraph for subparagraph (j): | ||
“(j) without prejudice to the Bank’s ability to require access to communications in accordance with these Regulations and Regulation (EU) No 600/2014, have sound security mechanisms in place to ensure, in accordance with the requirements laid down in the DORA Regulation, the security and authentication of the means of transfer of information, to minimise the risk of data corruption and unauthorised access and to prevent information leakage, thereby maintaining the confidentiality of the data at all times,”, | ||
(c) in Regulation 24 – | ||
(i) in paragraph (1), by the substitution of the following subparagraph for subparagraph (b): | ||
“(b) have sufficient capacity in accordance with the requirements laid down in Chapter II of the DORA Regulation”, | ||
and | ||
(ii) by the substitution of the following paragraph for paragraph (2): | ||
“(2) An investment firm engaging in algorithmic trading shall – | ||
(a) have effective business continuity arrangements to deal with any failure of its trading systems, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of the DORA Regulation, and | ||
(b) ensure that its trading systems are fully tested and monitored to ensure compliance with the requirements of paragraph (1) and any specific requirements laid down in Chapters II and IV of the DORA Regulation.”, | ||
(d) in Regulation 70(b), by the substitution of the following subparagraph for subparagraph (i): | ||
“(i) manage the risks to which it is exposed, including to manage ICT risk in accordance with Chapter II of the DORA Regulation,”, | ||
and | ||
(e) in Regulation 72 – | ||
(i) by the substitution of the following paragraph for paragraph (1): | ||
“(1) A regulated market shall establish and maintain its operational resilience in accordance with the requirements laid down in Chapter II of the DORA Regulation to ensure its trading systems – | ||
(a) are resilient, | ||
(b) have sufficient capacity to deal with peak order and message volumes, | ||
(c) are able to ensure orderly trading under conditions of severe market stress, | ||
(d) are fully tested to ensure such conditions are met, and | ||
(e) are subject to effective business continuity arrangements, including ICT business continuity policy and plans and ICT response and recovery plans established in accordance with Article 11 of the DORA Regulation, to ensure continuity of its services if there is any failure of its trading systems.”, | ||
and | ||
(ii) by the insertion of the following paragraph after paragraph (1) (amended by subparagraph (i)): | ||
“(1a) A regulated market shall have in place effective systems, procedures and arrangements, including requiring members or participants to carry out appropriate testing of algorithms and providing environments to facilitate such testing in accordance with the requirements laid down in Chapters II and IV of the DORA Regulation – | ||
(a) to ensure that algorithmic trading systems cannot create or contribute to disorderly trading conditions on the market, and | ||
(b) to manage any disorderly trading conditions which do arise from such algorithmic trading systems, including systems – | ||
(i) to limit the ratio of unexecuted orders to transactions that may be entered into the system by a member or participant, to be able to slow down the flow of orders if there is a risk of its system capacity being reached, and | ||
(ii) to limit and enforce the minimum tick size that may be executed on the market.”. | ||
Amendment of European Union (Payment Services) Regulations 2018 | ||
8. The European Union (Payment Services) Regulations 2018 ( S.I. No. 6 of 2018 ) are amended – | ||
(a) in Regulation 2(1), by the insertion of the following definition: | ||
“ ‘DORA Regulation’ means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 20222 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011;”, | ||
(b) in Regulation 4(1)(j), by the substitution of “information and communication technology (ICT) and communication network provision” for “information technology and communication network provision”, | ||
(c) in Regulation 7 – | ||
(i) in paragraph (2) – | ||
(I) in subparagraph (e), by the insertion of “as well as arrangements for the use of ICT services in accordance with the DORA Regulation” after “accounting procedures”, | ||
(II) in subparagraph (f), by the insertion of “or laid down in Chapter III of the DORA Regulation, as the case may be,” after “under Regulation 119,”, and | ||
(III) in subparagraph (h), by the insertion of “(including effective ICT business continuity policy and plans and ICT response and recovery plans)” after “effective contingency plans”, | ||
and | ||
(ii) in paragraph (4), by the substitution of “digital operational resilience in accordance with Chapter II of the DORA Regulation, in particular in relation to technical security and data protection, including for the software and ICT systems” for “technical security and data protection, including for the software and information technology systems”, | ||
(d) in Regulation 30(8), by the substitution of “ICT systems” for “information technology systems”, | ||
(e) in Regulation 118, by the insertion of the following paragraph after paragraph (3): | ||
“(4) Paragraphs (1) and (2) are without prejudice to the application of Chapter II of the DORA Regulation to the following: | ||
(a) credit institutions; | ||
(b) electronic money institutions; | ||
(c) payment institutions; | ||
(d) account information service providers referred to in Regulation 42; | ||
(e) payment institutions exempted by the Bank pursuant to Regulation 41; | ||
(f) electronic money institutions benefitting from a waiver as referred to in Regulation 33 of the European Communities (Electronic Money) Regulations 2011.”, | ||
and | ||
(f) in Regulation 119, by the insertion of the following paragraph after paragraph (7): | ||
“(8) Paragraphs (1) to (5) shall not apply to the following: | ||
(a) credit institutions; | ||
(b) electronic money institutions; | ||
(c) payment institutions; | ||
(d) account information service providers referred to in Regulation 42; | ||
(e) payment institutions exempted by the Bank pursuant to Regulation 41; | ||
(f) electronic money institutions benefitting from a waiver as referred to in Regulation 33 of the European Communities (Electronic Money) Regulations 2011.”. | ||
| ||
GIVEN under the Official Seal of the Minister for Finance, | ||
17 January, 2025. | ||
JACK CHAMBERS, | ||
Minister for Finance. | ||
1 OJ No. L333, 27.12.2022, p. 153 2 OJ No. L333, 27.12.2022, p. 1 2 OJ No. L333, 27.12.2022, p. 1 2 OJ No. L333, 27.12.2022, p. 1 2 OJ No. L333, 27.12.2022, p. 1 2 OJ No. L333, 27.12.2022, p. 1 |
