Digital Operational Resilience Act (DORA)


DORA (Digital Operational Resilience Act) is a regulation that aims to enhance the digital operational resilience of the EU financial sector by introducing a common legal framework.


DORA extends its applicability to 20 different types of financial entities, encompassing banks, payment institutions, investment firms, and insurance companies among others. The directive is set to come into effect on January 17, 2025.

Key requirements

  • ICT (information and communication technology) risk management: Financial entities must implement a comprehensive and robust ICT risk management framework.
  • ICT incident management: Major ICT incidents must be notified to the competent authorities.
  • Digital operational resilience testing: Financial entities must conduct regular tests to assess their ability to respond to ICT incidents.
  • Third-party ICT service provider risk management: Financial entities must diligently select and oversee third-party ICT service providers.
  • Information sharing: Financial entities must share information on cyber threats and ICT incidents.

Transposition in Luxembourg

DORA, applicable directly in Luxembourg, is in the process of being transposed into national law through a currently drafted bill. The supervision of compliance with DORA will fall under the purview of the CSSF and the CAA (Commissariat aux Assurances), designated as the competent authorities for this task.

Incident reporting

  • DORA harmonizes the requirements for ICT incident reporting.
  • The CSSF (Commission de surveillance du secteur financier) has put in place a new incident reporting regime.


The TIBER-LU (Threat Intelligence-based Ethical Red Teaming) framework will be slightly adapted based on the RTS (Regulatory Technical Standards) on TLPT (threat-led penetration testing).

DORA Delegated Regulations and Guidelines

  • The ESAs (European Supervisory Authorities) are finalizing the RTS and ITS (Implementing Technical Standards) on DORA.
  • The draft RTS and ITS are available for public consultation.


DORA is an important piece of legislation for the Luxembourg financial sector. Financial entities should start preparing for it as soon as possible.

Most popular insights

Finance Apps for Business Central

Simplifies the tax compliance processes and ensure accuracy.

A paperless solution designed for Fiduciaries and Accounting firms.

Optimizes the creation of payments from customers and vendors with a simplified User Interface.

Organizes your manual invoice processing from start to finish.

Solution that automates employee expense tracking.

Industry Apps

Solution that automates processes and generates detailed reports for many industries.

Security and Compliance

Checks are carried out directly in Microsoft Dynamics 365 Business Central on the contact, on the customer, on the vendor and much more

The Obfuscation app enables you to protect sensitive data in your sandboxes while maintaining usability for testing and development purposes. Personal, confidential and regulated data remains anonymous but your consultants and developers can perform realistic tests.

Using an ERP software can be overwhelming. Many customers struggle with the right setups and getting started. Our Data Management app allows us to remotely manage your setup data so you can get up and running fast.