“Beyond being compliant with Dora on 17 January, the real challenge is to instil a culture of resilience throughout the organisation.” Nicolas Remarck, head of information systems security (Ciso) at Banque Internationale à Luxembourg (Bil), has been busy since his arrival on 1 July. He has his sights set on 17 January 2025, the date on which the new European regulation on digital operational resilience--better known as Dora--will come fully into force.
This seminal text targets financial institutions, aiming to ensure their “operational resilience,” i.e., their ability to restart their business as quickly as possible after an IT incident--be it a cyber attack or a production problem. “Everyone is focusing on cybersecurity, which is fine, but the risk today is also a technical transition that goes wrong. This can happen in certain organisations and have a real impact,” says Remarck.
Dora is built around a number of pillars. One of the most important is risk management for information and communication technologies (ICT). The emphasis is on the critical functions of the establishments, which must identify the most sensitive assets and processes, then put themselves in a position to manage the problems as best and as quickly as possible. Proactivity is the key. “Teams need to be trained to gather actionable evidence and respond in the first few hours of an attack,” says Bil’s Ciso.
Late clarification
The regulation also introduces more advanced resilience tests, involving in particular the simulation of sophisticated cyber attacks. “These tests simulate attacks by groups of experienced hackers, which goes beyond conventional penetration tests, which are often limited in time and scope. The aim is to test the coherence and overall effectiveness of security mechanisms, checking that all detection and incident management processes work in harmony, like instruments in an orchestra playing together.”
This new framework has forced Bil to overhaul certain processes, not without difficulty due to the late arrival of the regulator’s clarifications (RTS and ITS). Full preparation of the resilience tests is scheduled for 2025. They will include players who have been less involved in the past, such as the communications teams, who are crucial for managing communications in times of crisis. Bil had a taste of this in 2024, when it took part--as a systemic bank--in the European Central Bank’s (ECB) cyber resilience test.
The other pillars of Dora include reporting major incidents to the regulator and, above all, managing the risk associated with ICT suppliers, such as cloud service providers. Third-party management is taking on a new dimension with closer monitoring of external service providers, particularly their cybersecurity practices. The difficulty lies in extending IT security obligations to all levels of the subcontracting chain, including non-EU providers.
Around a hundred suppliers
Contractual negotiations with ICT service providers are at the top of the list of problems encountered in Luxembourg by credit institutions, but also by investment companies, hedge fund managers and asset management companies. This was revealed by the Financial Sector Supervisory Commission (CSSF) on the basis of responses from 389 entities to its ‘Dora readiness survey’ conducted in September 2024. The Bil works with around a hundred providers of various sizes and nationalities. “We have to analyse those that manage critical functions, but Dora requires even greater vigilance,” explains Remarck. Germany, for example, plans to monitor up to rank 10 subcontractors. “This exponential approach is complex to manage, because each supplier is linked to other service providers. This requires a huge amount of work from our teams, because the bigger a company is, the more suppliers it has to manage.”
Read also
Luxembourg, continues Remarck, has one advantage: “We were already well regulated in terms of subcontracting, with a culture of tighter control thanks to the reporting obligations to the CSSF. So this regulation, although complex, is not entirely new to us. But the diversity of suppliers complicates matters: while some respond well to our requests, others claim to be outside the scope of Dora even though they are concerned.”
Coincidence of calendars
Large foreign suppliers, such as Microsoft, are a special case. “When you contact them, they refer you to their website, where a page lists everything that proves their compliance with all the regulations in the world. With them, it’s very difficult to negotiate additional guarantees because the balance of power is unbalanced.” Another difficulty: “Some suppliers faced with the requirements of Dora, and obliged to comply, want to pass on this cost to customers like us.”
There’s still a lot of work ahead of us, but we’re making good progress.
The CSSF survey also showed that, for almost one in four of the entities surveyed, the lack of resources (technical, HR, budget) is the number one priority in relation to Dora. At Bil, the head of ICT risk confirms: “The problem is linked to the coincidence of the timetables for Dora and Nis2, which require similar skills. What’s more, cybersecurity needs have become very diverse. This wide range of skills is difficult to bring together, especially as budgets are not unlimited.”
It has to be said that in addition to Dora, other regulations such as Basel IV, CRR3 (on capital requirements) and instant payment are also arriving, creating a lot of pressure on the teams. To manage this workload, “anticipation is crucial,” says Remarck. That’s why, almost ten years ago, Bil set up a regulatory watch unit to monitor changes in standards and anticipate as far as possible.
A substantial cost
The Ciso sees Dora as a good example: “Everyone is talking about it now, but the subject has been on the table for two years. The regulator didn’t hold a knife to our throat. Anticipation also means, for example, incorporating regulatory requirements into the design of new systems. This is what we did last year when we changed our main banking system. Training teams and sharing cyber-resilience exercises, such as those run by the ECB, also contributes to better preparation.”
Read also
Between the need for qualified staff, documentation and training, the cost of complying with Dora appears substantial. According to informal estimates circulating in the marketplace, a small structure cannot get away with less than €50,000 to €100,000, while large companies could spend millions. As far as Bil is concerned, Remarck doesn’t think that Dora will cost millions. “The majority of adaptations concern our processes, which means doing things a little differently. Around 60% of the changes are therefore procedural, while 40% require more profound modifications, particularly for resilience tests, which now have to prove that the company can operate even in the event of multiple breakdowns and difficult conditions. This requires us to rethink our security posture.”
Impact on cloud strategy
A posture for which not all the contours are yet clear, stresses our interviewee. Take, for example, the exit plans required by Dora, particularly for the cloud, which will allow us to switch to another supplier if necessary. “The regulator does not specify exactly how these plans should be tested. For example, testing a switch from Microsoft to AWS would be very expensive and would mobilise a lot of resources, which is not realistic. At the same time, a simple theoretical plan with no concrete preparation will not be accepted.”
This is an opportunity to point out that Dora represents, in part, a form of response to the rise of the cloud in finance. The regulation will influence the Bil’s cloud strategy, in particular by encouraging the development of exit options to avoid excessive dependence on one supplier. “The cloud offers advantages such as flexibility and automated control, which improves our resilience, but it also creates dependencies and has a significant cost. Resilience means being able to adjust our technical choices if necessary,” says Remarck.
Many special cases
As a bank of a certain size, Bil is theoretically one of the best-prepared entities in the financial centre for Dora. The CSSF survey shows that credit institutions are the most advanced in terms of gap analysis: more than 97% of them have carried one out, followed by hedge fund managers and management companies (manco) with almost 90%.
This seems logical: Dora formalises the requirements already imposed on banks in terms of cybersecurity and business continuity. For the fund management companies now subject to the regulation, which are often very small and rely on their group or a custodian bank to comply with the rules, this framework is more novel. It is also more burdensome? “Paradoxically, small structures often have fewer special cases to manage and a centralised organisation, which can simplify compliance,” notes Remarck. At Bil, the situation is more complex because of the size and particularities of the entities, such as the Bil pension fund, which is a legal entity but has no infrastructure of its own. “This means there are many special cases and a large number of suppliers to assess, which adds to the complexity and volume of work needed to comply with Dora.”
All in all, how does Bil feel about its level of preparation, with three months to go? “There’s still a lot of work ahead of us, but we’re making good progress,” concludes the head of ICT risk.
Difficulties for funds
Formerly responsible for overseeing IT in the financial sector and supporting professionals of the financial sector (PFS) at the CSSF, consultant believes that the Luxembourg financial sector is not fully ready for Dora. “As with the General Data Protection Regulation (GDPR), 100% compliance does not seem possible. With cascading outsourcing, considering extending IT security obligations beyond the first or second level of the chain seems unrealistic.”
Even if the continuity of critical activities is less of an issue for small organisations than for banks, which manage a multitude of products and services, Dora brings with it difficulties for the fund industry, according to the specialist. “The companies most affected by Dora are small organisations that have always operated with basic IT systems, without paying enough attention to their resilience. Knowing that size doesn’t protect against cyber attacks, IT security is going to take a particularly heavy toll.”
Hagen takes the example of calculating net asset value (NAV): “If the accounting software is unavailable, the business comes to a standstill.” He adds, “Even if this software is supplied by the parent company, the latter is legally considered to be a service provider, which imposes direct responsibilities on it.”
Reduce ICT risk
In Luxembourg more than in other countries, small fund structures tend to rely on their group to ensure compliance, according to the expert. “But Dora requires them to assume their own obligations! Their board of directors must validate and document the information received from the group, because the responsibility rests with them. What’s more, the law of 1 July 2024 is strict: penalties can be as high as €2m for directors.”
We will have to anticipate the integration of AI into Dora.
Hence the importance of managing IT risks at the highest level. “One of Dora’s objectives is to integrate IT risks into overall risk management, whereas they were often neglected. The message is clear: IT risk must be integrated into the risk assessment of company management, because today, without IT, everything grinds to a halt.”
Will smaller players be ready for the 17 January deadline? “I hope so for the reporting of the register,” replies Hagen. “Unless this date is extended, if they are unable to provide their register by the first quarter of 2025, it is likely that the CSSF will not grant an extension and will impose fines. Outside the register, in the event of prolonged non-compliance, fines may be imposed. Companies will need to prove to the CSSF that they are taking the matter seriously. This means documenting the steps they have taken, explaining any delays and presenting a clear plan, on pain of penalties.”
Dora and AI
The consultant notes the “special case” posed by service providers defined as specialised PFS (in the terms of the law, such as registrars). These service providers are not directly targeted by Dora, but must nonetheless ensure compliance with its requirements for the management companies and funds they serve.
And the circle of players concerned by Dora is set to widen in the future, as Hagen points out. “With the development of artificial intelligence, we will have to anticipate its integration into the Dora framework, because it will be considered a critical service if it is used in production. When a company adopts an AI model, such as ChatGPT, for production activities, Dora could indirectly apply to the service provider that supplies and maintains this model.” Dora includes obligations for critical third-party providers (CTPPs). Suppliers of AI models could eventually be included.
Dora: the resilience objective
The Regulation on Digital Operational Resilience (Dora) is due to come fully into force on 17 January 2025. Its aim is to improve the ability of financial institutions, such as banks, insurance companies and asset managers, to recover very quickly from a digital incident. To achieve this, Dora plans to harmonise processes and strengthen transparency, information sharing and monitoring of third-party service providers, particularly those linked to the cloud.
Digital security: a new European framework
Artificial intelligence
The European regulation on artificial intelligence (AI) came into force on 1 August 2024. It aims to regulate the use of AI and protect citizens from the risks associated with its misuse. Its approach is risk-based. Most AI systems, such as those used in video games, are not considered to be at risk and are not subject to any obligation. At the other end of the scale, certain uses such as “social rating” are deemed unacceptable and therefore prohibited. “These regulations provide a transparent legal framework, which is essential for establishing trust, a key element in our business. It opens up possibilities and allows this type of tool to be used with complete peace of mind,” says Nicolas Remarck. Bil’s Ciso also welcomes the creation by the EU of an office to test and validate AI, “an initiative that contributes to confidence by reinforcing the reliability of these tools.”
Critical infrastructure
The Nis2 directive (directive on the security of networks and information systems) aims to strengthen cybersecurity in Europe. It imposes strict obligations for risk management, incident reporting and cross-border collaboration. Compared with Nis1, which covered energy and health in particular, Nis2 extends the scope to new sectors such as public administration, space, waste water management, waste management and digital services. The Nis2 directive came into force on 17 October 2024. However, for it to take effect at national level, the Luxembourg legislator must adopt the bill transposing it. At the time of going to press, the legislative process is still underway.
Cryptoassets
The Mica (Markets in Cryptoassets) regulation aims to create a harmonised framework for this sector within the EU. From custody to exchange to management of cryptoassets, Mica sets binding standards for market participants, in order to strengthen consumer protection and financial stability. It applies primarily to token issuers and cryptoasset service providers (Casps), affecting both traditional institutions and crypto players. The regulation is due to apply in full on 30 December 2024. Not all applications for authorisation to benefit from the European passport will be able to be processed by then, informs the CSSF. Players registered as virtual asset service providers (Vasps) may, however, under the “grandfather clause,” continue to provide crypto services in Luxembourg until 1 July 2026 at the latest.
This article was written in for the magazine, published on 20 November. The content of the magazine is produced exclusively for the magazine. It is published on the website as a contribution to the complete Paperjam archive. .
Is your company a member of the Paperjam Business Club? You can request a subscription in your name. Let us know via