DORA (Digital Operational Resilience Act) is a regulation that aims to enhance the digital operational resilience of the EU financial sector by introducing a common legal framework.
Applicability
DORA extends its applicability to 20 different types of financial entities, encompassing banks, payment institutions, investment firms, and insurance companies among others. The directive is set to come into effect on January 17, 2025.
Key requirements
- ICT (information and communication technology) risk management: Financial entities must implement a comprehensive and robust ICT risk management framework.
- ICT incident management: Major ICT incidents must be notified to the competent authorities.
- Digital operational resilience testing: Financial entities must conduct regular tests to assess their ability to respond to ICT incidents.
- Third-party ICT service provider risk management: Financial entities must diligently select and oversee third-party ICT service providers.
- Information sharing: Financial entities must share information on cyber threats and ICT incidents.
Transposition in Luxembourg
DORA, applicable directly in Luxembourg, is in the process of being transposed into national law through a currently drafted bill. The supervision of compliance with DORA will fall under the purview of the CSSF and the CAA (Commissariat aux Assurances), designated as the competent authorities for this task.
Incident reporting
- DORA harmonizes the requirements for ICT incident reporting.
- The CSSF (Commission de surveillance du secteur financier) has put in place a new incident reporting regime.
TIBER-LU and TLPT
The TIBER-LU (Threat Intelligence-based Ethical Red Teaming) framework will be slightly adapted based on the RTS (Regulatory Technical Standards) on TLPT (threat-led penetration testing).
DORA Delegated Regulations and Guidelines
- The ESAs (European Supervisory Authorities) are finalizing the RTS and ITS (Implementing Technical Standards) on DORA.
- The draft RTS and ITS are available for public consultation.
Conclusion
DORA is an important piece of legislation for the Luxembourg financial sector. Financial entities should start preparing for it as soon as possible.