Overview
The European Union's financial sector's digital operational resilience is undergoing significant enhancement through the implementation of Regulation (EU) 2022/2554 (“DORA” or the "Regulation") and Directive (EU) 2022/2556 (the “Directive”) both adopted on 14 December 2022. Complementing and transposing these EU measures, Luxembourg has enacted the Law of 1 July 2024 (the "Law"), amending various national laws to implement DORA and transpose the Directive.
As highlighted in our October 2023 newsletter, the primary aim of DORA is to bolster the EU financial system's digital operational resilience by establishing robust "ICT" (Information and Communication Technology) frameworks. This necessity stems from the increasing importance of ICT-related products and the corresponding rise in cyber threats that could potentially trigger systemic crises within the financial sector.
Key pillars of DORA
DORA is structured around five fundamental pillars:
ICT risk management;
ICT incident management, classification, and reporting;
Digital operational resilience testing;
ICT third-party risk management; and
Information sharing.
These pillars constitute the foundation of the legislative and regulatory measures derived from DORA, which will be enforceable from 17 January 2025.
Scope of application
DORA targets 20 types of financial entities listed in Article 2 of the Regulation (“In-Scope-FEs”), including credit institutions, investment firms, trading venues and credit rating agencies. However, professionals of the financial sector ("PFS") as defined in the Law of 5 April 1993 on the financial sector, as amended, are excluded from its scope.
Furthermore, DORA's impact extends to ICT third-party service providers critical for financial entities. The Commission Delegated Regulation (EU) 2024/1502 of 22 February 2024 outlines the criteria for designating these providers as critical, emphasizing their significant role in maintaining the financial system's integrity.
Supervision of the affected entities is conducted by the European Supervisory Authorities ("ESAs"), namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), alongside relevant national authorities.
Legislative and regulatory framework
At the EU level, DORA acts as a consolidated instrument addressing ICT risks within the financial sector, while the Directive complements it by amending existing European directives. DORA's provisions are directly applicable across all EU Member States. The ESAs have been tasked with drafting regulatory technical standards ("RTS") and implementing technical standards (ITS), to be adopted by the European Commission.
The initial set of RTS/ITS was published in January 2024, following consultations that ensured simplified, efficient requirements and sector-specific considerations. These standards, formalised through delegated and implementing acts, define the obligations under DORA. The subsequent set of rules is expected to be submitted to the Commission by 17 July 2024.
Specific highlights of DORA
Single EU-hub (Art. 21 DORA)
DORA introduces the possibility of a centralized institution for handling major ICT-related incident reports, either by coordinating with competent authorities or receiving reports directly from In-Scope-FEs.
Mandatory testing framework (Art. 26 DORA)
A comprehensive testing framework based on the TIBER-EU framework has been established to help enhance cyber resilience through controlled cyberattacks.
Register of information (Art. 28.9 DORA)
In-Scope FEs must maintain a register of ICT service contracts, which may be requested by financial supervisors to monitor ICT-related dependencies.
EU-level oversight by ESAs (Chapter VII DORA)
The ESAs have been granted oversight powers over ICT third-party service providers, including investigations and inspections, starting from 2025.
Luxembourg's national legislation
The Law equips competent Luxembourg authorities (CSSF and CAA) with supervisory powers and establishes an administrative fines regime of up to EUR 5 million.
The Law was published on 2 July 2024 in the Luxembourg Official Gazette and shall become effective on 17 January 2025.
CSSF circular
The CSSF has issued Circular CSSF 24/847 to replace the previous Circular CSSF 11/504, introducing an enhanced ICT-related incident reporting framework, aligning with DORA's requirements.
Action items for financial entities and ICT service providers
To ensure compliance, financial entities must assess their current ICT frameworks and address deficiencies promptly. The principle of proportionality (Article 4 DORA) regulates the severity of requirements based on the entity's size and service nature. ICT service providers must also adapt to DORA's requirements, given their significant role in supporting financial sector clients.
Share on
