Financial Sector
Digital Operational Resilience Act
In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalisation and interconnectedness, the Digital Operational Resilience Act (DORA) was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework, i.e., Level 1 text, which will enter into application on 17 January 2025.
The six main pillars of DORA are as follows:
In September 2024, Derisk Advisory joined forces with DSM Avocats à la Cour to host a webinar on DORA's implications for Luxembourg financial institutions. It is available for replay on YouTube:
DORA mandates the European Supervisory Authorities (ESAs) and the Commission to develop a number of regulatory products and reports, i.e. Level 2 and Level 3 texts. As of publication date, their status is as follows:
Regulatory products and reports relevant to financial institutions
| Level | Legislation (or equivalent) | Linked to | Publication status |
|---|---|---|---|
| 1 | DORA Regulation (EU) 2022/2554 | n/a | Entered into force |
| 2 | CDR on ICT risk management framework | Art. 15 | Entered into force |
| 2 | CDR on the classification of ICT-related incidents and cyber threats | Art. 18(3) | Entered into force |
| 2 | Final Draft RTS and ITS on content, timelines and templates on ICT-related incident reporting | Art. 20 | Final Draft |
| 2 | Final Draft RTS on threat-led penetration testing | Art. 26(11) | Final Draft |
| 2 | CDR on the policy on ICT contractual arrangements supporting ‘CoI‘ functions | Art. 28(10) | Entered into force |
| 2 | Final Draft RTS on subcontracting of ‘CoI’ functions | Art. 30(5) | Final Draft |
| 2 | Final Draft ITS on the register of information | Art. 28(9) | Final Draft |
| 3 | Final Draft Guidelines on aggregated costs and losses from major ICT-related incidents | Art. 11(1) | Final Draft |
Regulatory products and reports relevant to critical ICT third-party service providers and their oversight
| Level | Legislation (or equivalent) | Linked to | Publication status |
|---|---|---|---|
| 2 | CDR on the criticality criteria to designate CTPPs | Art. 31(6) | Entered into force |
| 2 | Final Draft RTS on oversight harmonization | Art. 41(1) | Final Draft |
| 2 | Final Draft RTS on oversight harmonization – joint teams’ composition | Art. 41(1)(c) | Final Draft |
| 2 | CDR determining the oversight fees for CTPPs | Art. 43(2) | Entered into force |
| 3 | Draft Guidelines on oversight cooperation between the ESAs and competent authorities | Art. 32(7) | Final Draft |
