Entry into force of DORA on January 17, 2025: The CSSF will be at the heart of the compliance framework in Luxembourg

DORA, in a few words

Digital Operational Resilience Act (DORA) aims to harmonize provisions related to cybersecurity and information and communication technology (ICT) risk management in the financial sector. Its scope covers nearly all entities in the financial sector (Financial Entities), as well as third-party companies providing ICT services for critical or important functions.

This broad scope includes, in particular, credit institutions, investment firms, trading platforms, management companies, crowdfunding service providers, and service providers for crypto-assets authorized under Markets in Crypto-Assets Regulation (MiCA). The regulation introduces a principle of proportionality, allowing certain Financial Entities (particularly smaller ones) to benefit from a simplified regime or even be exempted.

DORA includes provisions requiring Financial Entities to:

• Implement a framework for managing ICT risks. This framework must include, in particular, the establishment of governance and internal control rules, the development of a digital operational resilience strategy, and the establishment of a comprehensive ICT business continuity policy;
• Notify the competent national authorities of incidents identified as major and related to ICT;
• Perform digital operational resilience tests. Certain Financial Entities identified by the competent authorities, particularly based on the systemic nature of the entity or the ICT-related risk profile, will also be required to implement advanced tests using penetration testing based on threat simulation, i.e., simulating the tactics of actual cyber-attacks;
• Manage the risks associated with outsourcing to third-party ICT service providers, including new contractual requirements. Financial entities must identify and integrate the risks associated with third-party ICT service providers into their risk management framework and remain fully responsible for compliance with DORA obligations when engaging these third parties;
• Voluntarily share operational information on cyber threats and vulnerabilities among financial sector actors.

The regulation also imposes a supervisory framework at the European level for third-party ICT service providers deemed “critical”, meaning those that could have a systemic impact on the stability, continuity, or quality of financial service delivery.

Importance of DORA

DORA is quickly becoming a cornerstone regulation for Financial Entities across the EU. The CSSF have also confirmed that DORA requirements including any draft regulatory technical standards (RTS) and implementing technical standards (ITS) take precedent over any overlapping elements in previous CSSF circulars, however any obligations not covered by DORA are still in force in their current form, in particular:

• CSSF 20/750 specifying the requirements regarding information and communication technology (ICT) and security risk management;
• CSSF 22/806 on outsourcing arrangements (regarding ICT outsourcing arrangements);
• CSSF 24/847 on ICT-related incident reporting framework.

Supervisory Approach 

The Commission de Surveillance du Secteur Financier (CSSF) acknowledges the challenges Financial Entities face in adopting and implementing DORA, particularly with some measures still pending finalization. Overall, the CSSF expects that most Financial Entities are prepared for DORA compliance, given the responses to the readiness survey carried out in August 2024. Regarding the outstanding RTS and ITS, the CSSF expects minimal divergence from the draft provisions, and given the drafts have been made available for a substantial amount of time believe entities have had enough time to consider their next steps. Financial Entities are urged to proceed with readiness measures immediately if not already in progress.

Challenges to Contractual Negotiations

DORA’s requirement for specific contractual clauses has proven to be tricky for some. DORA provides for obligations to ensure that contractual agreements with service providers explicitly address ICT risk management, incident reporting, and compliance monitoring. Such clauses are integral to aligning third-party service providers with DORA’s stringent requirements. However, as DORA now has harmonized requirements across the EU, it is expected that non-EU providers who has so far been hesitant to make adjustments will be more open and adaptable to ensure keeping their EU market share.

Compliance Expectations

It is expected that Financial Entities have:

• Conducted a gap assessment to identify differences between their existing procedures and DORA requirements.
• Developed or in the process of developing and implementing action plans to address identified gaps.
• Demonstrated significant progress toward DORA readiness, even if full compliance is not yet achieved.
• Planned for weekend and bank holiday reporting obligation: the CSSF has identified the list of Financial Entities that are impacted and will notify them by the end of February 2025.

Upcoming Submission: Register of Information to be submitted by Financial Entities to the CSSF for submission to ESAs 

Who are the ESAs?

European Supervisory Authorities (ESAs) –

• the European Banking Authority (EBA),
• the European Insurance and Occupational Pensions Authority (EIOPA), and
• the European Securities and Markets Authority (ESMA)

What is the Register of Information?

DORA requires Financial Entities, as part of their ICT risk management framework, to maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. All Financial Entities shall make available to the CSSF the register of information along with any information deemed necessary to enable the effective supervision. The register of information is composed of 15 templates.

Timeline:

• 1 April 2025: Submission of Register of Information opened – all financial entities to submit their templates to the CSSF. Submissions will be via eDesk in CSV format.
• 15 April 2025: Submissions closed, CSSF to review and may request corrections and resending of files in case of errors.re-submissions need to be made before the 31 April 2025.
• 31 April 2025: CSSF to pass along submission to the ESAs.
• May 2025: ESAs to review and to provide feedback or additional request for information to the CSSF.

Previously the CSSF have noted that:

• ICT outsourcing arrangements which have already been notified under circular CSSF 22/806 do not need to be re-submitted in the context of DORA.
• Contractual arrangements on the use of ICT services already in place prior to 17 January 2025 and which have not been notified under circular CSSF 22/806 which did not qualify as a critical or important ICT outsourcing are also not required to be submitted as notifications to the CSSF, however they need to be listed in the Register of Information.

New roles and functions

The CSSF emphasizes the importance of role segregations and the maintaining of independence between the control and operational roles and functions. Exceptions can be made for very small sized entities, however this is to be considered on a case-by-case basis.

Further emphasis was made that management bodies as a whole should be prepared to supervise and take responsibility for the digital operational relicense – undergoing ICT-related trainings is essential to be able to adequately supervise and provide oversight and ultimate responsibility for DORA implementation and adherence for Financial Entities.

‘Must-haves’ in place for 17 January 2025

For Financial Entities to fulfil their reporting obligations, they need to have in place before 17 January 2025:

• Legal Entity Identifier (LEI) Code
• IT Incident Notifier role appointed and notified via eDesk

As of 17 January 2025, the CSSF will open a new dedicated procedure “DORA Major ICT-related incident and significant cyber threat notification”, two notification forms will be available and will need to be submitted by the IT Incident Notifier. This procedure replaces previous reporting under:

• eDesk procedure “24/847 Major ICT-related incident”
• PSD2 major incident reporting via Sofie channel under Circular CSSF 21/787
• Reporting by significant institutions of significant cyber incidents directly to the ECB
• Reporting by CSDs of material operational incidents in relation to ICT risk

As lawyers, we are ready to help financial players comply with DORA. Because with DORA, the time to get ready is now!

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.