17/01/25

DORA goes live: the steps that you need to take

The Digital Operational Resilience Act (“DORA”) becomes applicable as from the 17th January 2025 and introduces a series of new obligations aimed at strengthening the operational resilience of financial institutions across Europe. DORA expands well beyond traditional banks and investment firms, covering a wide range of financial sector entities as well as their ICT service providers. Below, we outline the essential points to consider for your organisation, with a particular focus on the Luxembourg context.

DORA’s scope and key requirements

DORA establishes a robust framework to ensure that financial institutions and their ICT providers are better prepared to handle cyber threats and other technological risks. Among the key highlights:

  1. Risk management & Governance
    • Organisations must implement comprehensive governance and risk management processes for their ICT infrastructures and assign clear responsibilities (often at management or board level) to oversee digital resilience.
  2. Incident reporting
    • Significant incidents must be reported to the competent authorities (e.g. the CSSF for banking, the CAA for insurance).
    • DORA also enables (on a voluntary basis) the notification of serious cyber threats that have not yet materialised but might affect the system.
  3. Testing of Digital Operational Resilience
    • Organisations must regularly test the robustness of their ICT systems, including through penetration tests and vulnerability assessments.
    • More stringent tests may be required for critical or important functions.
  4. ICT third-party risk management
    • Contracts with ICT providers must include new mandatory provisions (e.g. service levels, security obligations, audit rights, exit strategies, etc).
    • An information register documenting all ICT outsourcing arrangements is required, allowing regulators to track, among others, critical third-party relationships.
  5. Information-sharing
    • Entities may (on a voluntary basis) share information on emerging cyber threats with each other, fostering collective resilience within the sector.

Luxembourg Specificities

In Luxembourg, the national framework supporting DORA has been introduced by the Law of 1 July 2024, which notably strengthens the supervisory powers of the CSSF and the CAA (regulator for the insurance sector).

These authorities shall oversee compliance aspects as they have been granted with additional investigative powers, including access to documentation and the possibility to conduct specific on-site inspections. Such authorities can also impose sanctions when non-compliance has been identified, potentially leading to substantial fines (up to 5 million euros or 10% of annual turnover for legal persons), which may also affect individual board members or senior managers.

It is important to highlight that there is no transition period foreseen as DORA applies directly as from the 17th January 2025, meaning that any in-scope organisation is supposed (and expected) to be ready by this deadline.

Additionally, financial institutions should monitor developments in DORA, but also in the numerous level two texts, such as Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which provide further details on topics such as information register completion, incident reporting formats, testing methodologies, and contractual requirements. Failing to comply with these delegated and implemented acts can also expose entities to enforcement actions.

What you need to do

Based on our experience, preparing for DORA can be challenging, particularly if you lack the time or in-house resources needed to draft or review relevant legal documents and procedures. We recommend the following first practical actions to help your organisation achieve and maintain DORA compliance:

  1. Conduct a DORA ‘Health Check’
    • Perform a gap analysis of your current ICT infrastructure and policies.
    • Identify critical or important functions, along with any vulnerabilities in your setup.
  2. Draft or update contracts and internal policies
    • Ensure that all service agreements with ICT providers include DORA-compliant clauses.
    • Document all third-party dependencies in the information register.
  3. Set up or update your incident reporting process
    • If not done yet, draft and implement a clear procedure for classifying, recording, and reporting ICT incidents to the competent authorities.
    • Provide internal training so that teams understand both how and when to trigger this process.
  4. Implement ongoing monitoring
    • Establish regular resilience testing schedules (penetration tests, vulnerability assessments, etc.).

Adopt continuous monitoring and seek feedback to update and improve your policies in line with evolving threats and regulation.

Audrey Rustichelli
Audrey Rustichelli
Deputy Managing Partner - PwC Legal Luxembourg
Nicolas Hamblenne
Nicolas Hamblenne
Counsel - PwC Legal Luxembourg
dotted_texture