Financial Sector

Digital Operational Resilience Act

In view of the increasing risks with respect to information and communication technology (ICT) and the growth in digitalisation and interconnectedness, the Digital Operational Resilience Act (DORA) was established to further strengthen the digital operational resilience in the EU financial sector by introducing a common legal framework, i.e., Level 1 text, which will enter into application on 17 January 2025.

The six main pillars of DORA are as follows:

Six main pillars of DORA

In September 2024, Derisk Advisory joined forces with DSM Avocats à la Cour to host a webinar on DORA's implications for Luxembourg financial institutions. It is available for replay on YouTube:


DORA mandates the European Supervisory Authorities (ESAs) and the Commission to develop a number of regulatory products and reports, i.e. Level 2 and Level 3 texts. As of publication date, their status is as follows:

Regulatory products and reports relevant to financial institutions

Level Legislation (or equivalent) Linked to Publication status
1 DORA Regulation (EU) 2022/2554 n/a Entered into force
2 CDR on ICT risk management framework Art. 15 Entered into force
2 CDR on the classification of ICT-related incidents and cyber threats Art. 18(3) Entered into force
2 Final Draft RTS and ITS on content, timelines and templates on ICT-related incident reporting Art. 20 Final Draft
2 Final Draft RTS on threat-led penetration testing Art. 26(11) Final Draft
2 CDR on the policy on ICT contractual arrangements supporting ‘CoI‘ functions Art. 28(10) Entered into force
2 Final Draft RTS on subcontracting of ‘CoI’ functions Art. 30(5) Final Draft
2 CIR on the register of information Art. 28(9) Entered into force
3 Final Draft Guidelines on aggregated costs and losses from major ICT-related incidents Art. 11(1) Final Draft

Regulatory products and reports relevant to critical ICT third-party service providers and their oversight

Level Legislation (or equivalent) Linked to Publication status
2 CDR on the criticality criteria to designate CTPPs Art. 31(6) Entered into force
2 Final Draft RTS on oversight harmonization Art. 41(1) Final Draft
2 Final Draft RTS on oversight harmonization – joint teams’ composition Art. 41(1)(c) Final Draft
2 CDR determining the oversight fees for CTPPs Art. 43(2) Entered into force
3 Draft Guidelines on oversight cooperation between the ESAs and competent authorities Art. 32(7) Final Draft