Financial Sector
Digital Operational Resilience Act (DORA)
In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalisation and interconnectedness, the Digital Operational Resilience Act (DORA) was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework, i.e., Level 1 text, which will enter into application on 17 January 2025. The six main pillars of DORA are as follows:
DORA mandates the European Supervisory Authorities (ESAs) and the Commission to develop a number of regulatory products and reports, i.e. Level 2 and Level 3 texts.
| Level | Legislation (or equivalent) | Linked to |
|---|---|---|
| 1 | DORA Regulation (EU) 2022/2554 | n/a |
| 2 | CDR on ICT risk management framework | Art. 15 |
| 2 | CDR on the classification of ICT-related incidents and cyber threats | Art. 18(3) |
| 2 | CDR on content and timelines for ICT-related incident reporting | Art. 20 |
| 2 | CIR on templates for ICT-related incident reporting | Art. 20 |
| 2 | CDR on threat-led penetration testing | Art. 26(11) |
| 2 | CDR on the policy on ICT contractual arrangements supporting ‘CoI‘ functions | Art. 28(10) |
| 2 | CDR on subcontracting of ‘CoI’ functions | Art. 30(5) |
| 2 | CIR on the register of information | Art. 28(9) |
| 3 | Guidelines on aggregated costs and losses from major ICT-related incidents | Art. 11(1) |
In addition, DORA mandates the ESAs and the Commission to develop regulatory products and reports concerning critical ICT third-party service providers and their oversight (not covered here).
In Luxembourg, these CSSF circulars operationalize DORA by defining the practical modalities for financial entities to notify the CSSF of major ICT incidents, estimate related financial losses, and fulfill reporting requirements for their use of ICT third-party providers.