The tight timetable for the Digital Operational Resilience Act (Dora) concerns both financial institutions and the Financial Sector Supervisory Commission (CSSF). The former had to , a register of information relating to all ICT service contracts provided by third-party providers. The ball is now in the court of the CSSF, which must transmit these registers to the European Securities and Markets Authority (Esma) by 30 April.
The second half of April is thus crucial for the Luxembourg regulator, which must carry out consistency checks to prevent Esma from rejecting these registers. The European authority will also be carrying out its own checks when it comes to consistency of data, logic of information and compliance with the required format.
The implementation of Dora , which has experienced some delays since the text . What is the CSSF’s attitude to these delays? Asked by Paperjam, the regulator said it was unable to answer, citing “a particularly heavy workload.”
The CSSF has prepared the ground well. It has increased its exchanges with the sector.
The Luxembourg Bankers’ Association (ABBL) believes that “the CSSF is taking a constructive and pragmatic approach, recognising the scale of the task as well as the delays in finalising certain technical regulatory standards (RTS) and implementing standards (ITS) at European level.”
The same tone of voice from the Association of the Luxembourg Fund Industry (Alfi). “The CSSF has prepared the ground well,” says Isadora Pardo, senior VP of industry affairs at Alfi. “It has increased the number of exchanges with the industry, which we welcome. Of course, minor technical difficulties can always arise with this type of complex file. But overall, the industry has been well prepared--as have the CSSF’s internal teams.”
Engaged long before Dora
A consultant in IT risk management and cybersecurity, Laurent de la Vaissière observes that “the CSSF is clearly one of the European regulators most attentive to issues relating to technological risks and cybersecurity. Long before Dora came into force, it had already committed itself to this field, actively promoting the ancestors of this regulation--not laws, but regulatory requirements--and sometimes going so far as to extend these requirements, initially designed for the traditional financial sector, to alternative fund managers.”
In the context of Dora, for example, the CSSF sent a questionnaire to the parties concerned to improve the organisation of the receipt of registers. On another sensitive point--the imbalance in contractual negotiations between large service providers and small management companies--the regulator has encouraged the ABBL and Alfi to report recurring problem situations. If several players encounter the same difficulties with a provider, the CSSF has said it is ready to intervene to restore some balance in the balance of power.
Multiplying exchanges
The CSSF has also taken part in several seminars with professional associations to explain the Dora application texts and guidelines. The aim: to help stakeholders understand the practical implications, whether in terms of the information register, IT incident management or obligations in terms of governance and internal procedures.
These conferences have enabled the Luxembourg regulator to get its key messages across. The main one, according to de la Vaissière, is that “the CSSF does not intend to descend on institutions on 18 January with on-site inspections, hoping for total compliance overnight. On the other hand, from the beginning of 2025, it expects entities to have precise and well-documented gap analyses: what is already in compliance, what is partially in compliance, what is not in compliance at all.”
On this basis, the aim is to draw up an action plan based on a risk management rationale, with a reasonable compliance horizon. “In routine exchanges with the case officers--the CSSF reference officers for each institution--there may already be requests for additional information: how far have you got? What documents can you provide on your level of compliance or your action plan? The challenge is to understand the approach taken by institutions, even if Dora does not officially provide for a transitional period,” says the consultant.
Clarifying obligations
At the same time, the CSSF is overhauling its regulatory framework for ICT risks and outsourcing. On 9 April, it published a series of circulars designed to bring its regulations into line with Dora. The purpose of these updates is to eliminate regulatory redundancies and clarify the obligations of supervised entities. They also introduce a clear distinction between entities subject to Dora and those that are not, by defining requirements tailored to each category.
Once the information reporting stage is over, one of the Luxembourg regulator’s priorities will be incident monitoring. This aspect has been anticipated since January 2024 with CSSF circular 24/847, which describes the reporting process. Luxembourg companies have been required to comply with this circular since 1 June 2024.
Another project: updating contracts. “Not all have been finalised yet, but the CSSF remains pragmatic. What will count is the effort made and the precise documentation of the steps taken, even if everything is not yet perfectly in place,” adds Pardo. “Finally, we mustn’t forget that Dora is an ongoing process. Its aim is to ensure operational resilience and avoid major IT incidents. With each new supplier, new function or change in process, we need to integrate these elements into the system. It’s an in-depth, long-term process.”
The CSSF has been carrying out specific on-site checks on IT risk for several years.
Whilst the CSSF has so far played a supportive role, the market is now expecting a tougher stance. “It is clear that the CSSF will gradually move into a more active supervisory phase,” says de la Vaissière. “For several years now, it has been carrying out on-site inspections specifically on IT risk, at an average rate of eight to ten a year over the last three years. This issue is also increasingly included as part of more general inspections.”
And he points out that even before the transposition of the technical directive associated with Dora--which completes the regulation--Luxembourg had already experienced significant sanctions in terms of cybersecurity. “Since last summer’s legislative update, the potential sanctions have been more severe. This does not mean that the CSSF will systematically apply the highest fines provided for by law, but the framework is now much stricter.”
To date, the highest sanction handed down in Luxembourg in this area is . The consultant notes that “the CSSF is not the only European authority to take action in this area: Germany’s Bafin, for example, for almost three years, due to IT-related flaws.”
This article was originally published in .