In brief
On 2 July 2024, the Luxembourg law (“Law“) implementing the new European framework for the effective and harmonized management of digital risks in the financial sector, namely the Digital Operational Resilience Act (DORA), was published in the Luxembourg official gazette.
Like DORA, the Law will apply as of 17 January 2025.
The Law designates the Commission de Surveillance du Secteur Financier (CSSF) and the Commissariat aux Assurances (CAA) as the competent Luxembourgish authorities responsible for ensuring that DORA is applied by the in-scope entities subject to their supervision. The Law also authorizes these authorities to impose administrative sanctions and measures if DORA’s provisions are violated, and establishes an appropriate system of sanctions and other administrative measures.
Key Takeaways
DORA represents a significant step forward in enhancing the financial sector’s digital operational resilience in Luxembourg and across Europe.
As a reminder, DORA imposes new obligations on financial entities and certain information and communication technologies (ICT) service providers,[1] requiring them to implement robust measures to manage and mitigate ICT risks, which rely on five pillars:
- ICT risk management and ICT governance. The first pillar concerns the adoption of a comprehensive ICT risk management framework and governance to address evolving digital risks. In particular, financial institutions shall ensure that their ICT documentation (procedures, policies, controls and tools) complies with DORA requirements. Moreover, the regulation explicitly requires that members of the financial entity’s management body actively keep up to date with sufficient knowledge and skills to understand and assess ICT risks and their impact on the financial entity’s operations, including by regularly following specific training commensurate to the ICT risk being managed. Furthermore, members of the management body must play an active and central role in steering and adapting to DORA the entity’s ICT risk framework and overall digital resilience strategy.
- ICT incident management and reporting. The second pillar concerns ICT incident management and reporting. Financial institutions shall use a streamlined procedure to log and classify ICT incidents and report major incidents to authorities. DORA also requires financial entities to voluntarily notify competent authorities about an important cyber threat.
- Digital operational resilience testing program. The third pillar requires that financial institutions regularly perform assessments, such as vulnerability assessments, penetration testing and scenario-based exercises. All critical systems and processes will be put through rigorous and thorough testing by DORA to ensure that they can resist and recover from operational shocks.
- Strategy for ICT third-party risk. Financial institutions are obliged to adopt and regularly review their strategy to assess the risks coming from ICT third-party service providers, including cloud computing services. The strategy for ICT third-party risk should include a policy on the use of ICT services supporting “critical or important functions” provided by ICT third-party service providers. In addition, financial organizations must make sure that their third-party providers meet the same demanding requirements for operational resilience. This involves carrying out due diligence, monitoring performance and making sure that contractual agreements have clauses that mandate compliance with DORA requirements.
- Information and intelligence sharing. The fifth pillar provides for the possibility, on an optional basis, for financial entities to exchange information and intelligence about cyber threats, enhancing the financial sector’s overall capacity to identify, respond to and reduce ICT risks.
In accordance with the Law, the CSSF and the CAA will be empowered to impose, within the limits of their respective powers, the following sentences on persons subject to their respective supervision if certain provisions of DORA are violated:
- An injunction ordering the person responsible for the violation to put an end to the conduct in question and refrain from repeating it
- The temporary or definitive cessation of any practice judged by the competent authority as contrary to the provisions of DORA
- For a natural person, an administrative fine of EUR 5 million
- For a legal entity, an administrative fine of a maximum of EUR 5 million or up to 10% of the annual turnover total, according to the latest available accounts approved by the management body
- A public statement specifying the identity of the person responsible and the nature of the violation, in accordance with Article 54 of DORA
In addition to implementing DORA, the Law transposes into Luxembourg laws Directive (EU) 2022/2556 of 14 December 2022, which amends specific European financial sector directives to implement digital resilience and ICT security requirements.
In this respect, the Law introduces targeted amendments to nine Luxembourg laws relating to the financial sector, such as the law of 5 April 1993 on the financial sector (as amended); the law of 10 November 2009 on payment services (as amended); the law of 17 December 2010 on undertakings for collective investment (as amended); the law of 12 July 2013 on alternative investment fund managers (as amended); and the law of 7 December 2015 on the insurance sector (as amended) in order to require that supervised entities integrate DORA requirements in terms of IT infrastructure into their organization.
[1] DORA covers a wide range of financial entities, including credit institutions, investment firms, payment and electronic money institutions, central counterparties and trade repositories, authorized alternative investment fund managers, (re)insurance undertakings and intermediaries, and crypto-asset services providers. In addition, it also includes certain entities typically excluded from financial regulations. For instance, crowdfunding service providers or third-party ICT service providers (like cloud service providers and data centers) must follow DORA requirements.