S.I. No. 20/2025 - European Union (Digital Operational Resilience) (No. 2) Regulations 2025

Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 14th February, 2025.

I, PASCHAL DONOHOE, Minister for Finance, in exercise of the powers conferred on me by section 3 of the European Communities Act 1972 (No. 27 of 1972) and for the purpose of giving effect to Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022¹ on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, hereby make the following regulations:

Part 1

Preliminary and General

Citation

1. These Regulations may be cited as the European Union (Digital Operational Resilience) (No. 2) Regulations 2025.

Interpretation

2. (1) In these Regulations -

“Act of 1942” means the Central Bank Act 1942 (No. 22 of 1942);

“Bank” means the Central Bank of Ireland;

“contravention” includes, in relation to any provision of the Digital Operational Resilience Regulation or these Regulations, a failure to comply with that provision, and also includes -

(a) attempting to commit a contravention,

(b) aiding, abetting, counselling or procuring a person to commit a contravention,

(c) inducing, or attempting to induce, a person (whether by threats or promises or otherwise) to commit a contravention,

(d) being (directly or indirectly) knowingly concerned in, or a party to, a contravention, and

(e) conspiring with others to commit a contravention;

“Digital Operational Resilience Regulation” means Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022² on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011;

“enactment” has the same meaning as it has in the Interpretation Act 2005 (No. 23 of 2005).

(2) A word or expression that is used in these Regulations and is also used in the Digital Operational Resilience Regulation has, unless the context otherwise requires, the same meaning in these Regulations as it has in the Digital Operational Resilience Regulation.

Non-application to credit unions

3. The Digital Operational Resilience Regulation and these Regulations shall not apply to credit unions (within the meaning of the Credit Union Act 1997 (No. 15 of 1997)) until 17 January 2028.

Part 2

Competent authority

Competent authority

4. The Bank is designated as the competent authority in the State for the purposes of Articles 26(9) and 32(5), respectively, of the Digital Operational Resilience Regulation.

Part 3

Powers of Bank

Powers of Bank

5. (1) The Bank shall have all the powers necessary for the performance of its functions and duties under the Digital Operational Resilience Regulation and these Regulations.

(2) The powers provided for in this Part in respect of the Bank shall not be exercised in a manner or for a purpose inconsistent with the Bank’s obligations pursuant to the Digital Operational Resilience Regulation and these Regulations.

(3) Without limitation to the generality of paragraph (1), the Bank shall, in particular, have the powers set out in Part 4.

Part 4

Enforcement

Sanctions

6. (1) Where the provisions of the Act of 1942 are invoked in relation to a contravention of these Regulations or the Digital Operational Resilience Regulation, any of the sanctions referred to in paragraph (4) may be imposed by the Bank -

(a) following an inquiry under section 33AO or 33AR of the Act of 1942, or

(b) in accordance with section 33AR or 33AV of the Act of 1942.

(2) The power of the Bank to impose any of the sanctions referred to in paragraph (4) is in addition to and not in substitution for its power to impose any of the sanctions specified in section 33AQ of the Act of 1942.

(3) For the purposes of a contravention of these Regulations or the Digital Operational Resilience Regulation, any reference in the Act of 1942 to the sanctions set out in section 33AQ of that Act is to be read as including a reference to the sanctions referred to in paragraph (4).

(4) The sanctions referred to in paragraphs (1) and (3) are the following:

(a) an order requiring the natural or legal person to cease conduct that is in breach of the Digital Operational Resilience Regulation and to desist from a repetition of that conduct;

(b) the temporary or permanent cessation of any practice or conduct that the Bank considers to be contrary to the provisions of the Digital Operational Resilience Regulation and prevent repetition of that practice or conduct;

(c) the adoption of any type of measure, including of a pecuniary nature, to ensure that financial entities continue to comply with legal requirements;

(d) the issuance of public notices, including public statements indicating the identity of the natural or legal person and the nature of the breach.

(5) Where paragraph (4) applies to legal persons, the Bank may apply the sanctions to members of the management body and to other individuals who under the provisions of any enactment are responsible for the breach.

(6) Where a sanction set out in paragraph (4) or section 33AQ of the Act of 1942 is imposed in respect of a contravention of the Digital Operational Resilience Regulation, the type and level of any sanction or sanctions to be imposed in respect of such a contravention shall take into account the extent to which the contravention is intentional or results from negligence, and all other relevant circumstances, including the following, where appropriate:

(a) the materiality, gravity and the duration of the contravention;

(b) the degree of responsibility of the natural or legal person responsible for the contravention;

(c) the financial strength of the responsible natural or legal person;

(d) the importance of profits gained or losses avoided by the responsible natural or legal person, insofar as they can be determined;

(e) the losses for third parties caused by the contravention, insofar as they can be determined;

(f) the level of cooperation of the responsible natural or legal person with the competent authority, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that natural or legal person;

(g) previous contraventions by the responsible natural or legal person.

Right of appeal

7. Any decision taken or sanction imposed under the Digital Operational Resilience Regulation or these Regulations is an appealable decision for the purposes of Part VIIA of the Act of 1942.

Part 5

Amendment of Act of 1942

Amendment of Act of 1942

8. The Act of 1942 is amended –

(a) in section 2(2A), by the substitution of the following paragraphs for paragraph (bi):

“(bi) Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023³ ;

(bj) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022⁴ ;”,

(b) in section 33AK(10), in the definition of “supervisory EU legal acts”, by the insertion of the following paragraph after paragraph (ao):

“(ap) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022⁵ ;”,

(c) in section 33BC, by the insertion of the following subsection after subsection (21):

“(22) This section does not apply where Article 54 of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022⁶ applies.”,

and

(d) in Part 2 of Schedule 2, by the insertion of the following item:

“

”.

GIVEN under my Official Seal,

11 February, 2025.

PASCHAL DONOHOE,

Minister for Finance.

1 OJ No. L 333, 27.12.2022, p.1

2 OJ No. L 333, 27.12.2022, p.1

3 OJ No. L 150, 9.6.2023, p.40

4 OJ No. L 333, 27.12.2022, p.1

5 OJ No. L 333, 27.12.2022, p.1

6 OJ No. L 333, 27.12.2022, p.1