Since the Digital Operational Resilience Act (Regulation (EU) 2022/2554) ("DORA") entered into force on 17 January 2025, the European Supervisory Authorities, being ESMA, EIOPA and EBA, (the "ESAs") and the relevant national competent authorities of the EU Member States have been actively working to shape its implementation. Below is an overview of a few of the key DORA developments at the EU level and at the national Luxembourg level.
European Supervisory Authorities (ESAs)
Finalisation of the CTPP designation roadmap
Financial entities subject to DORA ("DORA Entities") are required to collect, maintain and report an up-to-date register of information relating to all contracts for information and communication technology ("ICT") third-party services they use. Pursuant to DORA, certain ICT service providers ("ICTPPs") that are deemed essential to the EU financial sector will be formally designated as critical – such service providers being then referred to as Critical ICT third-party service providers ("CTPPs"). The designation of the CTPPs as such, will be done according to the detailed roadmap published by the ESAs on 18 February 2025 (the "Roadmap"). The Roadmap identifies four key milestones:
- By 30 April 2025: national competent authorities submit ICT ROIs to the ESAs.
- By end of July 2025: ESAs assess the data and notify CTPPs of their classification as such
- By 1st half of September 2025: end of the identified CTPPs' six weeks objection period in relation to ESAs' initial assessment.
- By year-end 2025: final list of CTPPs is published, and oversight begins.
In Luxembourg, the deadline for ROI submission is earlier: the deadline is 15 April for the CSSF and 18 April for the CAA (Commissariat aux Assurances).
ICTPPs not designated as critical, may voluntarily request critical status later. The ESAs will also host an online workshop in Q2 2025 to clarify the process.
DORA applies retroactively to ICT contracts predating 17 January 2025. However, DORA Entities have until 15 January 2028 (36 months) to update legacy ICT agreements to comply with DORA’s requirements. These amendments would include contractual clauses such as: access and audit rights for regulators, termination rights for non-compliance or clear subcontracting protocols.
EBA streamlines ICT Risk guidelines
The EBA originally introduced its Guidelines on ICT (Information and Communication Technology) and security risk management in 2019 (the "Original ICT Risk Guidelines"). The Original ICT Risk Guidelines were based on the Capital Requirements Directive (Directive 2013/36/EU) and Payment Services Directive 2 (Directive (EU) 2015/2366) and aimed to create a consistent approach across the financial sector for managing ICT and security risks. These were implemented in Luxembourg law by way of Circular CSSF 20/750 on ICT and security risk management, as detailed below.
In light of the entry into force of DORA on 17 January 2025, the EBA published in a final report dated 11 February 2025 detailing the rationale behind amending the Original ICT Risk Guidelines, and adopting new Guidelines (2025/02) ( the "Amended ICT Risk Guidelines"). This amendment aims to sustain the harmonised EU regulatory framework, thus limiting the scope of the Amended ICT Risk Guidelines to the limits imposed by DORA.
In the Amended ICT Risk Guidelines, the EBA reduced the initial scope of the Original ICT Risk Guidelines. The Amended ICT Risk Guidelines will cover only (1) the DORA Entities and (2) the requirements on relationship management of payment service users in relation to the provision of payment services
Other entities or areas previously subject to the Original ICT Risk Guidelines that are not covered by DORA will not be required to follow the Amended ICT Risk Guidelines. Such entities remain, however, subject to rules under PSD2, and other national requirements, if applicable.
ESAs align with European Commission's amendments on Subcontracting RTS
Pursuant to Article 30(5) of DORA, the ESAs were responsible for drafting Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).
The ESAs submitted to the European Commission in July 2024, a draft RTS specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. This draft had been rejected by the Commission in a decision dated 21 January 2025 based on concerns that the provisions relating to the monitoring of the subcontracting chain in the draft RTS exceeded the authority granted to the ESAs under Article 30(5) of DORA. The Commission proposed amending the ESAs' RTS by removing requirements not specifically linked to the conditions for subcontracting.
On 7 March, the ESAs published an Opinion acknowledging the Commission amendments without proposing further changes, and agreeing to the adoption of the RTS as amended by the Commission.
ESAs FAQ update
The ESAs updated the FAQs on reporting of registers of information under Article 28(3) of DORA on 14 February 2025. The FAQ address practical matters regarding the completion of templates set out in Commission Implementing Regulation (EU) 2024/2956, reporting formats, preparing the reporting files, maintaining registers and submitting them to the ESAs.
Luxembourg competent authorities
CSSF Circulars and clarifications
On 9 April 2025, the CSSF published a communication informing all supervised entities of important updates concerning the provisions of several CSSF circulars, following the entry into application of DORA and adoption by the EBA of a reviewed set of Guidelines on ICT and security risk management (see above).
To align these changes with the existing Luxembourg rules, the CSSF issued new circular and amended some existing circulars as set out below:
On ICT and security risk management
- Issuance of Circular CSSF 25/881 amending Circular CSSF 20/750 on requirements regarding information and communication technology (ICT) and security risk management.
- Amendment of Circular CSSF 20/750 mainly to:
- reduce the scope to the entities that are subject to CSSF supervision but are not DORA Entities, and therefore are not subject to DORA requirements; and
- remove specific rules applicable to Payment Service Providers (PSPs) (whether they are also in scope of DORA or not) which are now addressed in a separate dedicated circular (see point c) below).
- reduce the scope to the entities that are subject to CSSF supervision but are not DORA Entities, and therefore are not subject to DORA requirements; and
- Issuance of Circular CSSF 25/880 on relationship management of payment service users and PSP ICT assessment, applicable to all PSPs within the scope of Article 1(37) of the Law of 10 November 2009 on payment services (LPS) and supervised by the CSSF. Circular CSSF 25/880:
- transposes the EBA Amended ICT Risk Guidelines (2025/02); and
- integrates the national requirements on the risk assessment related to PSP (previously found in Circular CSSF 20/750),
- transposes the EBA Amended ICT Risk Guidelines (2025/02); and
On the use of ICT third-party services
- Issuance of Circular CSSF 25/883 amending Circular CSSF 22/806 on outsourcing arrangements.
- Amendment of Circular CSSF 22/806 mainly to:
- reduce the scope of application: ICT outsourcing is now regulated under DORA, therefore the Circular CSSF 22/806 is amended to cover only the business process outsourcing by DORA Entities. Nonetheless, it remains fully applicable to entities not subject to DORA, and partially applicable to certain authorised investment fund managers; and
- remove the requirement of specific contractual clauses for cloud computing service providers.
- Issuance of Circular CSSF 25/882 on the use of ICT third-party services for DORA Entities. It provides:
- practical guidance on reporting obligations for new critical or important ICT third-party arrangements and the ROI; and
- a section on the use of ICT services, based on relevant elements from Circular CSSF 22/806, which is not addressed by DORA.
CAA
In the Circular Letter 25/1 published on 14 January 2025, the CAA (being the competent supervisory authority for the insurance sector in Luxembourg) notes that as from 17 January 2025, DORA Entities that are also subject to CAA supervision must report major ICT incidents to the CAA using the templates published by CAA. Additionally, the Circular Letter directs the DORA Entities subject to CAA supervision to the appropriate template to be used for their first ROI submission to the CAA, before 18 April 2025. The Circular Letter informs DORA Entities that the appropriate templates for the first ROI report can be found on the EBA website.
Share on
