ICT and cyber risk – for DORA entities

In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalisation and interconnectedness, the Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022, commonly called the Digital Operational Resilience Act (DORA), was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework. As a part of the Digital Finance Package of the EU, DORA aims at establishing a common legal framework that streamlines the fragmented legal landscape of the EU regarding ICT risks. Besides containing comprehensive rules with respect to ICT risk management, ICT-related incident management, digital operational resilience testing and ICT third-party risks, DORA largely covers the EU financial sector with a scope of application extended to no less than 20 types of financial entities as defined in DORA Article 2(1)(a) – (t).

DORA applies to financial entities in the EU since 17 January 2025.

The objective of strengthening the digital operational resilience is achieved with the five main pillars of DORA.

For additional information related to new technologies, such as DLT and artificial intelligence, please consult the Financial innovation page.

As an EU regulation, DORA is directly applicable to financial entities falling under the scope of DORA since 17 January 2025. The corresponding Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022, which aims to include in all financial sector directives a cross-reference to DORA, has been transposed into national law on 1 July 2024. In this context, the CSSF and the Commissariat aux Assurances (CAA) have been designated as the competent authorities in Luxembourg responsible for ensuring the compliance of their respective supervised entities with DORA and their supervisory and enforcement powers defined.

Besides the requirements of the DORA Level 1 text, DORA further established a wide range of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) specifying further detailed requirements. The applicable RTS and ITS are listed throughout this website under their relevant pillar below.

The three European Supervisory Authorities (ESAs),namely the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), which collectively oversee the EU’s banking, securities, and insurance sectors, have developed and are constantly expanding joint Q&As to support the consistent and effective application of the EU regulatory framework to the financial services sector. The Joint Q&A register tool includes the answers to the DORA questions which can be filtered accordingly. In this tool, the ESAs’ answers as well as the answers provided by the European Commission can be consulted.

Chapter II of DORA is specifically addressing ICT risk management. Financial entities are mandated to implement a robust ICT risk management framework that encompasses comprehensive strategies, policies, procedures, protocols, and technical tools to protect ICT assets and ensure resilient operations.

​Under DORA, the management body holds ultimate accountability for the financial entity’s ICT risk management framework, ensuring effective governance, prudent oversight of digital operational resilience strategies and the allocation of appropriate budget. The management body must establish clear roles and responsibilities for all ICT-related functions, assign a role to monitor arrangements with ICT third-party service providers, and designate an independent control function to oversee ICT risk, ensuring appropriate segregation.

The RTS specifying criteria regarding ICT risk management (Commission Delegated Regulation (EU) 2024/1774) provides detailed guidance on these elements, covering areas such as ICT asset management, encryption, network and operations security, as well as project and change management. The standard also outlines the necessary measures for human resources and access control, ensuring that responsibilities are clearly assigned, and that risk oversight is maintained at all levels. Additionally, the RTS requires the implementation of effective incident detection, response, and business continuity procedures to minimise the impact of potential ICT disruptions.

For smaller or non-interconnected financial entities, a simplified ICT risk management framework has been introduced, balancing essential security measures with a proportionate regulatory burden. This lighter approach focuses on the core elements necessary for safeguarding data and ensuring operational continuity without imposing overly complex compliance requirements.

A critical component of DORA is the annual review of the ICT risk management framework, which must be thoroughly documented and reported upon request. This review report should detail major changes, evaluate the effectiveness of risk mitigation measures, and identify any gaps requiring remediation.

By adhering to these harmonised requirements, financial entities not only comply with DORA but also significantly enhance their digital resilience, thereby contributing to a more secure and stable European financial system.

Circular CSSF 21/769 establishes governance and security requirements for supervised entities implementing telework solutions. A key baseline requirement is that entities must maintain robust central administration and sufficient substance at their Luxembourg premises. This includes ensuring that staff members working remotely, particularly cross-border commuters, are able to return to the entity’s premises on short notice when necessary. The circular also mandates that entities define a telework policy outlining which activities can be performed remotely and which must remain on-site, as well as specifying the minimum number of staff required to be present at the premises to ensure operational continuity.

With the requirements on ICT-related incident management, classification and reporting, detailed in Chapter III, DORA aims at harmonising and streamlining the ICT-related incident reporting across the financial sector as well as extending the scope of the affected financial entities.

In particular, Chapter III of DORA contains requirements regarding the incident management process of financial entities as well as the reporting of major ICT-related incidents and the voluntary notification of significant cyber threats.

Financial entities are required to comply with the obligations for classifying and reporting major ICT-related incidents and, if applicable, significant cyber threats. The specifics regarding classification and reporting are detailed in the following Regulatory Technical Standards and Implementing Technical Standards:

Circular CSSF 25/893 on Reporting of major ICT-related incidents and significant cyber threats under DORA, provides the modalities according to which financial entities in scope of DORA are required to notify the major ICT-related incidents as well as, if applicable, significant cyber threats to the CSSF.

In addition, financial entities under DORA are also required to report, upon the request from the competent authority, an estimation of aggregated annual costs and losses caused by major ICT-related incidents (Article 11(10), chapter II). In respect to that, the ESAs, through the Joint Committee, have developed the Joint Guidelines on the estimation of aggregated annual costs and losses (JC GL 2024 34). Circular CSSF 25/892 adopts these guidelines.

Chapter IV of DORA lays down the requirement for establishing a digital operational resilience testing programme to assess the preparedness for handling ICT-related incidents, and to identify weaknesses, deficiencies, and gaps in the digital operational resilience. Besides the basic testing requirements, DORA further requires advanced testing based on threat-led penetration testing (TLPT) for selected financial entities falling under the scope of the TLPT regime.

As outlined in Articles 24 and 25 of DORA, Financial entities must establish and maintain a comprehensive digital operational resilience testing program to assess preparedness for ICT-related incidents and identify weaknesses or gaps in resilience. The program should include a wide variety of assessments such as vulnerability scans, network security reviews, source code analysis, and scenario-based tests to ensure robust risk management. A risk-based approach should guide the selection of suitable tests and methodologies, focusing particularly on ICT systems supporting critical or important functions. At least once a year, entities must conduct appropriate tests to verify the effectiveness of their resilience measures. Tests should be carried out by independent parties, whether internal or external.

With respect to the advanced testing requirements based on Article 26, DORA introduces a comprehensive and mandatory testing framework for identified financial entities, which is in accordance with the TIBER-EU framework.

The ESAs, in agreement with the ECB, developed the RTS on TLPT which was adopted by the European Commission on the 13 February 2025. The RTS further specifies:

• criteria used for the purpose of identifying financial entities subject to a TLPT,
• requirements and standards governing the use of internal testers,
• requirements in relation to scope of TLPTs, testing methodology and approach, closure and remediation stages of the TLPTs.
• supervisory and other relevant cooperation including the facilitation of mutual recognition of TLPTs, in the context of financial entities that operate in more than one Member State.

The CSSF is the TLPT authority for the financial sector under its supervision in line with Article 46 of DORA.

The TIBER-EU framework provides comprehensive guidance on how authorities, entities, and threat intelligence providers and red-team testers should work together to test and improve the cyber resilience of entities by carrying out controlled cyberattacks on a voluntary basis.

In November 2021, the Banque centrale du Luxembourg (BCL) and the Commission de surveillance du secteur financier (CSSF) decided to jointly adopt the testing framework for controlled cyber-attacks, namely TIBER-LU, in line with their respective financial stability mandates. The TIBER-LU implementation document was revised following the entry into force of DORA and will be published shortly.

In the first Section of Chapter V, DORA sets out principle-based rules for managing third-party risks within the ICT risk management framework as well as key contractual provisions to be considered when dealing with ICT third-party service providers. Furthermore, Section II of Chapter V introduces an EU-wide oversight framework of critical ICT third-party service providers.

Under DORA Chapter V Section I, financial entities are required to establish a robust framework for managing ICT third‐party risk to safeguard critical functions. The regulation mandates that institutions develop clear policies governing the ICT services that support critical or important functions provided by external third‐party service providers. Furthermore, it establishes key contractual provisions that must be incorporated in agreements with ICT third‐party service providers to ensure proper risk allocation and regulatory compliance. The RTS specifying policy criteria for the critical ICT third-party service providers in the financial sector (Commission Delegated Regulation (EU) 2024/1773) details the policy requirements for these ICT services to ensure they meet stringent security and operational resilience criteria. Furthermore, the RTS on subcontracting specifies the key elements that financial entities must determine and assess when subcontracting ICT services that support essential functions. Together, these measures help mitigate risks arising from external dependencies while ensuring that ICT third-party arrangements do not compromise overall digital operational resilience.

Circular CSSF 25/882 on requirements on the use of ICT third-party services for financial entities subject to DORA, further outlines key requirements for the use of ICT operation services in Luxembourg, specifying which third-party providers can be used in Luxembourg. It contains requirements for the backup of accounting data and client positions. It furthermore clarifies the definition of cloud services and emphasises the designation of a cloud officer who is responsible for the use of cloud services and to guarantee the competences of the staff managing cloud computing resources.

Following DORA Article 28(3), financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

With regards to notifications of planned ICT arrangements the following applies:

1. Significant institutions (under the direct supervision of the ECB) shall notify the ECB directly of planned ICT arrangements via the IMAS portal. The instructions to be followed by these institutions to submit a notification form are available on the IMAS portal page. The CSSF has published Circular CSSF 23/834 for the mandatory use of the IMAS Portal for certain supervisory processes.
2. In line with Circular CSSF 25/882, other financial entities under DORA (but not under the direct supervision of the ECB) shall notify the CSSF of planned ICT arrangements using the form Notification of an ICT third-party arrangement supporting a critical or important function as required under DORA. The form must be submitted to the agent in charge of the supervision of the financial entity via the agreed communication channels, and as set out in the form. Furthermore, if not under the direct supervision of the ECB, financial entities have to follow the reporting requirements as defined in Circular CSSF 25/882, which requires that this notification is to be submitted at least three (3) months before the planned contractual arrangement comes into effect. When resorting to a Luxembourg support PFS governed by Article 29-3 LFS, this notice period is reduced to one (1) month.

DORA mandates that financial entities establish, maintain, and regularly update a register of information detailing all contractual arrangements related to ICT services provided by third-party service providers. This register must be made available to the competent authority annually, and in addition upon request, ensuring transparency and facilitating effective supervision. Implementing Technical Standard (ITS) on the standard templates for the register of information (Commission Implementing Regulation (EU) 2024/2956) provides detailed templates and guidelines for maintaining the register. The register of information plays a crucial role in managing ICT third-party risk and helps authorities identify critical service providers subject to EU oversight.

For the preparation and reporting of the register of information a wide variety of practical information is available. The European Banking Authority (EBA) has published their technical package for its 4.0 reporting framework, which includes a comprehensive data point model, taxonomy, and validation rules. Furthermore, the ESAs have published all related practical information and instructions, including the latest FAQ, on the register of information. The CSSF highly recommends that financial entities monitor these pages closely to ensure they are fully prepared for the timely submission of their register.

The CSSF has published three guidance documents to assist financial entities in preparing and submitting their Register of Information (RoI) in compliance with DORA:

These tables assist financial entities in determining whether they need to submit an RoI to the CSSF and, if so, at what level of consolidation.

This guide addresses frequent issues encountered during the validation checks of RoI submissions. It offers practical advice to ensure that submissions meet the required standards and are processed smoothly

This document provides, for the most frequent error and warning messages raised by the ESAs, mapping tables between these ESA codes and the description of the issues and instructions on how to solve them.

Financial entities are encouraged to consult these documents to facilitate accurate and efficient RoI submissions.

DORA Chapter V Section II establishes an oversight framework for ICT third-party service providers, which are designated as critical by the ESAs based on criteria defined in Commission Delegated Regulation (EU) 2024/1502 specifying the criteria for the designation of ICT third-party service providers as critical for financial entities. Once designated as critical third-party service providers (CTPPs), these providers fall under enhanced scrutiny, with a Lead Overseer appointed to coordinate monitoring efforts and to ensure CTPPs have in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk. Additionally, joint examination teams (JETs), comprising of representatives from the ESAs and multiple competent authorities, are empowered to conduct comprehensive reviews and assessments of these critical providers, focusing on their risk management practices, operational performance, and resilience measures. Together, these mechanisms help safeguard the stability of the financial sector through the oversight over the most critical ICT service providers.

A comprehensive oversight framework for CTPPs is established through a series of regulatory and technical standards. The RTS on harmonisation of conditions for oversight conduct (Commission Delegated Regulation (EU) 2025/295) standardises the supervisory practices across EU Member States, detailing provisions for information access, on-site inspections, and enforcement measures to ensure consistent application of oversight activities. Complementing this, the RTS on Joint Examination Teams (Commission Delegated Regulation (EU) 2025/420) outlines criteria for assembling teams from the ESAs and national competent authorities, ensuring effective supervision of CTPPs. Additionally, the Joint Guidelines on oversight cooperation (JC 2024 36) facilitate efficient collaboration and information exchange between the ESAs and competent authorities, enhancing the supervision of CTPPs. Commission Delegated Regulation (EU) 2024/1505 specifying fees for the critical ICT third-party service providers in the financial sector, sets out the annual oversight fees payable by CTPPs to cover the Lead Overseer’s necessary expenditures, including a minimum fee and a turnover-based component.

In Chapter VI, DORA further aims at enhancing the digital operational resilience of financial entities by providing for the voluntary exchange of information and intelligence on cyber threats between financial entities. The purpose of these arrangements is to foster collaboration and exchange of relevant data on cyber threats, vulnerabilities and incidents between financial entities in order to improve collective cybersecurity and operational resilience within the financial system, especially during times of crisis or emerging threats. These arrangements are on a voluntary basis and financial entities should notify the CSSF of their participation, upon validation of their membership, or, as applicable, of the cessation of their membership, once it takes effect.

Commission Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the “RTS”), as well as Commission Delegated Regulation (EU) 2022/2360 amending the RTS as regards the 90-day exemption for account access, set key requirements to improve the security of payment services across the European Union. The payment service providers (“PSPs”) concerned by the new obligations are the ones defined in points (i), (ii), (iii) and (iv) of Article 1(37) of the Law of 10 November 2009 (as amended) on payment services and for which the CSSF is the designated competent authority for supervisory purposes under the law:

i) Credit institutions
ii) Electronic money institutions
iii) POST Luxembourg
iv) Payment institutions

The RTS also requires all payment services providers who offer payment accounts accessible online to offer at least one access interface enabling secure communication with, and access, by account information and payment initiation service providers (AISPs and PISPs) to the payment service user’s payment account data. The PSPs that have opted to offer access via a dedicated interface are required to implement a contingency mechanism (also called fallback mechanism), unless they receive an exemption from the CSSF in accordance with the four conditions set out under Article 33(6) of the RTS.

All PSPs concerned that would like to obtain such an exemption are required to refer to Circular CSSF 19/720 adopting the EBA Guidelines specifying further the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of the RTS and to fill in the form for exemption authorisation request available on the CSSF website. This form must be submitted via email to the address psd2‑exemption@cssf.lu.

Circular CSSF 25/880 on relationship management of payment service users and PSP ICT assessment outlines detailed requirements for PSPs, covering both the management of relationships with payment service users and the requirement to conduct a PSP ICT assessment and submit it using the standardised form via the CSSF’s eDesk portal.