Replying to an AIB or Bank of Ireland DORA assessment
A DORA questionnaire from AIB, Bank of Ireland, PTSB or one of the credit unions doesn't look quite like one from a German or French bank. The structure follows the regulation but the local interpretation is shaped by the Central Bank of Ireland's expectations and by ten years of operational resilience supervision before DORA existed. Here's how to read it, and a 5-day playbook for vendors facing their first assessment.
What "Irish DORA" looks like in practice
DORA is a regulation, so the text is identical across the EU. What varies is the supervisor's reading. In Ireland three things shape how questionnaires are written and reviewed:
1. The Central Bank's prior framework
The Central Bank of Ireland published its Cross-Industry Guidance on Operational Resilience in December 2021 — three years before DORA went live. Irish entities have been operating with a five-stage operational resilience cycle (identify, map, set tolerance, test, learn) for years. When they ask you about your incident response or BCP, they are implicitly checking that you fit into that established vocabulary.
2. The PRISM supervisory model
The Central Bank classifies entities by impact (Ultra High, High, Medium-High, Medium-Low, Low) and uses that to set inspection cadence. Big retail banks (AIB, BOI) sit at the top — their compliance teams are large and well-rehearsed, and the questionnaires they send vendors are correspondingly detailed.
3. The dual-language context
Irish entities frequently service customers across Ireland and the UK. Many of their vendor questions about data residency, third-country transfers and consumer protection carry assumptions from both DORA and the UK FCA's operational resilience policy. If you serve both markets, be explicit about which controls apply where.
What an Irish bank actually asks
A typical AIB or BOI vendor assessment runs 60–80 questions across eight domains. The distribution looks like this:
| Domain | Typical questions | What they really want to see |
|---|---|---|
| Governance | 5–8 | Named accountable officer, board-level visibility, ICT risk on the risk register. |
| ICT risk management | 10–14 | A current risk framework, evidence it's reviewed annually, controls tied to identified risks. |
| Information security | 12–18 | ISO 27001 or SOC 2 Type II in date; vulnerability management cadence; encryption at rest and in transit. |
| Incident management | 6–10 | 24/7 detection, named on-call rota, notification within 2 hours, post-incident review process. |
| BCP / DR | 6–8 | RTO and RPO targets, tested annually, evidence of the test outcome. |
| Sub-outsourcing | 5–8 | Public sub-processor list, notice mechanism, no critical function delivered from outside the EEA without justification. |
| Exit and transition | 4–6 | Documented exit plan, data portability, cooperation in a supervisor-ordered exit. |
| Audit and assurance | 3–5 | Right of audit accepted, evidence of recent independent assurance, willingness to participate in TLPT. |
Where Irish banks differ from continental ones
- More weight on individual accountability. Ireland has the Senior Executive Accountability Regime (SEAR) for regulated entities. Even when SEAR doesn't apply to you the vendor, the bank's third-party risk officer is conditioned to ask "who is the named owner for this?" on every control.
- Stricter on data location. Irish banks often ask vendors to confirm not just that data is in the EEA but that any failover or backup region is also EEA. Vendors with a US disaster-recovery region get probed harder than those with EU-only architecture.
- UK awareness.If your vendor footprint includes UK regions or UK sub-contractors, expect questions framed around the FCA's critical third-party framework as well as DORA. A short statement of how the two regimes line up saves a follow-up cycle.
- Tolerance for credit-union vendors. Smaller entities (credit unions, small EMIs) are still required to comply, but their questionnaires are leaner — typically 30–40 questions, often based on the Irish League of Credit Unions template.
A 5-day playbook for your first Irish assessment
You've just received a 70-question PDF from a bank's third-party risk team. Two-week deadline. Here's how to spend the first five working days.
Day 1 — Read, classify, scope
Read every question. Tag each with the domain (use the eight above). Identify the 10–15 questions where you'll need help from outside engineering (legal, exec sponsor, finance). Schedule those calls now.
Day 2 — Harvest existing evidence
ISO 27001 audit report, SOC 2 Type II, pen-test summary, BCP test report, DPA, sub-processor list, security whitepaper. Roughly 60% of the answers come straight out of these. Build a single shared folder.
Day 3 — Draft the substantive answers
Work domain by domain. Keep answers short and factual; cite the evidence document by name. The bank's reviewer is looking for "yes, here's the proof", not marketing.
Day 4 — Review with legal and exec
The questions on liability, audit rights, sub-outsourcing notice and termination need a sign-off. This is where you decide what to push back on. Your Article 30 cheat sheet is useful here.
Day 5 — Polish, sanity-check, submit
Every answer must reference a real document. Every "not applicable" needs a one-line justification. Every forward-looking commitment needs a date. Submit through the bank's portal (BIA, ServiceNow, OneTrust — varies) with a short cover note acknowledging the deadline.
What happens after submission
Two outcomes are common:
- Clarification round. The reviewer comes back with 5–15 follow-up questions, usually targeting the sub-outsourcing chain and the exit plan. Quick turnaround (3 working days) keeps momentum.
- Pass with conditions.The contract goes ahead but with commitments: annual re-attestation, named point of contact, participation in the bank's next TLPT cycle.
Plan to reuse 80% of these answers when the next Irish bank (or any EU bank) sends you their version.
References: Central Bank of Ireland Cross-Industry Guidance on Operational Resilience (December 2021), the Central Bank of Ireland's DORA implementation page, EBA Implementing Technical Standards under Regulation (EU) 2022/2554, and public vendor-assessment templates from Irish retail banks.