The Digital Operational Resilience Act (“DORA”) becomes applicable as from the 17th January 2025 and introduces a series of new obligations aimed at strengthening the operational resilience of financial institutions across Europe. DORA expands well beyond traditional banks and investment firms, covering a wide range of financial sector entities as well as their ICT service providers. Below, we outline the essential points to consider for your organisation, with a particular focus on the Luxembourg context.
DORA establishes a robust framework to ensure that financial institutions and their ICT providers are better prepared to handle cyber threats and other technological risks. Among the key highlights:
In Luxembourg, the national framework supporting DORA has been introduced by the Law of 1 July 2024, which notably strengthens the supervisory powers of the CSSF and the CAA (regulator for the insurance sector).
These authorities shall oversee compliance aspects as they have been granted with additional investigative powers, including access to documentation and the possibility to conduct specific on-site inspections. Such authorities can also impose sanctions when non-compliance has been identified, potentially leading to substantial fines (up to 5 million euros or 10% of annual turnover for legal persons), which may also affect individual board members or senior managers.
It is important to highlight that there is no transition period foreseen as DORA applies directly as from the 17th January 2025, meaning that any in-scope organisation is supposed (and expected) to be ready by this deadline.
Additionally, financial institutions should monitor developments in DORA, but also in the numerous level two texts, such as Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which provide further details on topics such as information register completion, incident reporting formats, testing methodologies, and contractual requirements. Failing to comply with these delegated and implemented acts can also expose entities to enforcement actions.
Based on our experience, preparing for DORA can be challenging, particularly if you lack the time or in-house resources needed to draft or review relevant legal documents and procedures. We recommend the following first practical actions to help your organisation achieve and maintain DORA compliance:
Adopt continuous monitoring and seek feedback to update and improve your policies in line with evolving threats and regulation.
Our dedicated IT/IP PwC Legal Team offers a one-stop-shop DORA assistance, combining legal expertise with practical insights to meet your specific needs:
Should you wish to learn more about our DORA services, check our page or reach out to us directly.
Deputy Managing Partner, Avocat à la Cour au Barreau de Luxembourg, PwC Legal
Tel: +352 26 48 42 35 98
Counsel, Avocat à la Cour au Barreau de Luxembourg, PwC Legal
Tel: +352 26 48 42 35 58