Digital Operational Resilience Act (DORA)

In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalisation and interconnectedness, the Digital Operational Resilience Act (DORA) was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework. Besides containing comprehensive rules with respect to ICT risk management, ICT-related incident management, digital operational resilience testing and ICT third-party risks, DORA largely covers the EU financial sector with a scope of application extended to no less than 20 types of financial entities (see list here).

DORA will be applicable to financial entities in the EU from 17 January 2025 onwards.

The objective of the following chapters is to provide financial entities with an introduction to DORA, continuous updates on the latest developments, as well as frequently asked questions (FAQs).

In view of the high degree of digitalisation and interconnectedness within the financial sector that poses risks to both the individual financial entities and financial stability, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022, commonly called the Digital Operational Resilience Act (DORA), was introduced with the objective of strengthening the digital operational resilience of the financial sector. As a part of the Digital Finance Package of the EU, DORA aims at establishing a common legal framework that streamlines the fragmented legal landscape of the EU regarding ICT risks.

The objective of strengthening the digital operational resilience is achieved with the five main pillars of DORA.

The risk management section of DORA contains the key principles and requirements regarding the financial entities’ risk management framework. On the one hand, governance and organisational requirements are covered regarding the DORA risk management framework in Section I of Chapter II of DORA. On the other hand, Section II contains obligations with respect to the ICT risk management framework as part of the overall risk management system.

With the requirements on ICT-related incident management, classification and reporting, detailed in Chapter III, DORA aims at harmonising and streamlining the ICT-related incident reporting across the financial sector as well as extending the scope of the affected financial entities. Besides the reporting of major ICT-related incidents, DORA also contains the possibility of voluntary notification of significant cyber threats.

Furthermore, Chapter III of DORA also contains requirements regarding the incident management processes of financial entities.

Chapter IV of DORA lays down the requirement for establishing a digital operational resilience testing programme to assess the preparedness for handling ICT-related incidents, and to identify weaknesses, deficiencies, and gaps in the digital operational resilience. Besides the basic testing requirements, DORA further requires advanced testing based on threat-led penetration testing (TLPT) for selected financial entities falling under the scope of the TLPT regime.

In the first Section of Chapter V, DORA sets out principle-based rules for managing third-party risks within the ICT risk management framework as well as key contractual provisions to be considered when dealing with ICT third-party service providers. Furthermore, Section II of Chapter V introduces an EU-wide oversight framework of critical ICT third-party service providers.

In Chapter VI, DORA further aims at enhancing the digital operational resilience of financial entities by providing for the voluntary exchange of information and intelligence on cyber threats between financial entities.

As an EU regulation, DORA is directly applicable to financial entities falling under the scope of DORA from 17 January 2025. However, the corresponding Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022, the aim of which is to include in all financial sector directives a cross-reference to DORA, is in the process of being transposed into national law (draft law 8291). The draft law also designates the CSSF and the Commissariat aux Assurances (CAA) as the competent authorities in Luxembourg responsible for ensuring the compliance of their respective supervised entities with DORA and defines their supervisory and enforcement powers.

Article 2 of DORA lists the 20 different types of financial entities falling under its scope:

(a) credit institutions;
(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
(c) account information service providers;
(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
(e) investment firms;
(f) crypto-asset service providers and issuers of asset-referenced tokens;
(g) central securities depositories;
(h) central counterparties;
(i) trading venues;
(j) trade repositories;
(k) managers of alternative investment funds;
(l) management companies;
(m) data reporting service providers;
(n) insurance and reinsurance undertakings;
(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
(p) institutions for occupational retirement provision;
(q) credit rating agencies;
(r) administrators of critical benchmarks;
(s) crowdfunding service providers; and
(t) securitisation repositories.

Specialised PFS and support PFS are classified as professionals of the financial sector (PFS) pursuant to the national Law of 5 April 1993 on the financial sector (LFS). However they are not foreseen as a ‘financial entity’ under DORA and therefore do not fall under its scope.

Having stated this, by nature of the services offered, certain PFS will be considered under DORA as ICT third-party service providers. In that case, if a PFS is designated by the three European Supervisory Authorities (ESAs) as being a critical ICT third-party service provider (CTPP), this PFS will be subject to the EU-wide CTPP oversight framework introduced by section II, Chapter V of DORA. More generally, it is worth adding that the DORA regulation should remain of interest to all PFS considered as ICT third-party service providers, as their financial sector clients will have to ensure the contractual arrangements for the use of their ICT services are compliant with DORA requirements.

Due to the harmonisation of the fragmented legislative landscape, the impact on financial entities differs based on the preexisting requirements regarding ICT risks. The impact for the individual financial entity further differs based on the necessary depth of implementation based on the principle of proportionality as stated in Article 4 of DORA.

For most financial entities in Luxembourg, DORA brings a more detailed set of rules regarding the implementation of an ICT risk management framework, ICT-related incident reporting, resilience testing and ICT third-party risk management. Due to the current fragmentation of the legal ICT landscape, the differences between the current requirements regarding ICT risks and the newly introduced requirements of DORA will vary from entity to entity, leading to different implementation gaps. Hence, it is important for each financial entity to analyse the individual gaps to start with the implementation of DORA as early as possible.

The currently fragmented frameworks and requirements regarding the ICT-related incident reporting in the EU financial sector are harmonised and streamlined with the DORA ICT-related incident reporting regime. The reporting requirements cover all major ICT-related incidents and will further allow for the voluntary reporting of significant cyber threats.

To acquire a better and more structured overview of the nature, frequency, significance, and impact of ICT-related incidents, the CSSF decided not to wait to amend its current incident reporting regime and to replace Circular CSSF 11/504 by Circular CSSF 24/847 introducing an enhanced ICT-related incident reporting framework. Circular CSSF 24/847 enters into force on 1 April 2024 for the supervised entities as defined in point 2 (a) to (d) and (k) to (p) in Section 1.1.; and on 1 June 2024 for the supervised entities as defined in point 2 (e) to (j) in Section 1.1. of the aforementioned circular. For additional information related to the current incident reporting regime, please consult the ICT Risk page, section ICT-related Incident Reporting.

When all DORA level 2 texts related to incident reporting become applicable, Circular CSSF 24/847 will be modified to align with their provisions.

With respect to the advanced testing requirements based on Article 26, DORA introduces a comprehensive and mandatory testing framework for designated financial entities, which is based on the current TIBER-EU framework. The details on the TLPT framework are currently still under development based on the ESA policy mandate according to Article 26(11) of DORA and the corresponding Regulatory Technical Standards (RTS). The RTS on TLPT were under consultation until 4 March 2024 (see DORA related Delegated Regulations and Guidelines).

The TIBER-LU framework may need to be slightly adapted considering the future final RTS on TLPT.

For additional information related to TIBER-LU, please consult the ICT Risk page on TIBER-LU.

Besides the requirements of the DORA Level 1 text, DORA further contains a wide range of policy mandates for the three European Supervisory Authorities (ESAs), namely the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA). The lists of mandates and their current status are listed below.

• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 by determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid;
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 by specifying the criteria for the designation of ICT third-party service providers as critical for financial entities;
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents;
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers;
• Commission Delegated Regulation supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.

Next step: Adoption by the European Parliament and the Council and publication in the Official Journal.

• Implementing Technical Standards (ITS) to establish the templates for the register of information (Article 28(9) of DORA)

• RTS and ITS on content, timelines and templates on incident reporting (Article 20 (a) and (b) of DORA);
• Guidelines (GL) on aggregated costs and losses from major incidents;
• RTS on subcontracting of critical or important functions (Article 30(5) of DORA);
• RTS on oversight harmonisation (Article 41 of DORA);
• GL on oversight cooperation between ESAs and competent authorities (Article32(7) of DORA);
• RTS on threat-led penetration testing (TLPT) (Article 26(11) of DORA).

Next steps:

• Review of the comments received in the consultation phase and finalisation of the draft RTS and ITS by the ESAs;
• Publication of the final reports on the draft RTS and ITS by 17 July 2024;
• Review and adoption of the delegated regulations by the European Commission;
• Adoption by the European Parliament and the Council and publication in the Official Journal.

The CSSF regularly keeps in touch with professional associations and regularly exchanges with financial entities in Luxembourg during various events.