Digital Operational Resilience Act (DORA)
From Implementation to Operational Maturity
Since its full application on 17 January 2025, the Digital Operational Resilience Act (DORA) has redefined the regulatory expectations for the European financial sector. In 2026, the focus for financial entities has shifted: it is no longer about interpreting the Level 1 text, but about demonstrating sustained operational resilience and meeting the rigorous reporting and testing standards set by the CSSF and ESAs.
The Six Pillars of DORA
DORA is structured around six core pillars that require ongoing senior management oversight and technical precision:
- Internal Governance: Strengthening the role of the Management Body, which holds ultimate responsibility for the ICT risk management framework. This includes ensuring adequate budget allocation, training, and a clear definition of risk tolerance.
- ICT Risk Management: Maintaining a comprehensive framework to identify, protect, detect, and recover from ICT-related threats. In 2026, this requires continuous alignment of internal controls with evolving business continuity and disaster recovery requirements.
- ICT Incident Management, Classification & Reporting: Implementing a unified process to detect, manage, and notify ICT-related incidents. This includes the rigorous classification of "major" incidents based on ESA criteria and meeting the strict notification timelines for the initial, intermediate, and final reports.
- Digital Operational Resilience Testing: Executing a risk-based testing program - ranging from vulnerability assessments to open-source analyses. For significant entities, this includes the management of Threat-Led Penetration Testing (TLPT) cycles every three years.
- ICT Third-Party Risk Management: Managing the full lifecycle of relationships with ICT providers, with particular focus on services supporting Critical or Important (CoI) functions. This pillar demands a robust Register of Information and clear strategies for concentration risk and exit management.
- Information Sharing: Engaging in voluntary arrangements to exchange cyber threat intelligence and indicators of compromise. This collaborative approach enhances the collective resilience of the financial community against sophisticated systemic threats.
Regulatory Framework & Technical Standards
The DORA Regulation mandated the European Supervisory Authorities (ESAs) and the Commission to develop a number of regulatory products and reports – i.e. Level 2 and Level 3 texts – mainly implemented through Commission Delegated Regulations (CDR) and Commission Implementing Regulations (CIR). As we move through 2026, these technical standards provide the granular detail necessary for maintaining a mature resilience framework:
| Level | Legislation (or equivalent) | Linked to |
|---|---|---|
| 1 | DORA Regulation (EU) 2022/2554 | n/a |
| 2 | CDR on ICT risk management framework | Art. 15 |
| 2 | CDR on the classification of ICT-related incidents and cyber threats | Art. 18(3) |
| 2 | CDR on content and timelines for ICT-related incident reporting | Art. 20 |
| 2 | CIR on templates for ICT-related incident reporting | Art. 20 |
| 2 | CDR on threat-led penetration testing | Art. 26(11) |
| 2 | CDR on the policy on ICT contractual arrangements supporting 'CoI' functions | Art. 28(10) |
| 2 | CDR on subcontracting of 'CoI' functions | Art. 30(5) |
| 2 | CIR on the register of information | Art. 28(9) |
| 3 | Guidelines on aggregated costs and losses from major ICT-related incidents | Art. 11(1) |
In addition, DORA mandated the ESAs and the Commission to develop regulatory products and reports concerning critical ICT third-party service providers and their oversight, which is currently in active rollout across the EU.
The Luxembourg Context: CSSF Operationalization
In Luxembourg, the CSSF has issued specific circulars to operationalize DORA. These define the practical modalities for notifying the CSSF of major ICT incidents, estimating financial losses, and fulfilling reporting requirements for ICT third-party providers.
