DORA: From Project Mode to Day-to-Day Management
January 29, 2026
This interview with our principal consultant, Laurent de la Vaissière, first appeared in the 39th edition of Andy à Luxembourg Opens in a new tab . We are grateful to Sylvain Aubry and the Association of Luxembourg Compliance Officers (ALCO Opens in a new tab ) for this exchange, which we have translated below for our international readers.
The DORA regulation imposes new digital resilience requirements on financial institutions. Applicable for almost a year now, the challenge goes beyond simple compliance. With 20 years of experience in tech and cyber risk in Luxembourg, Laurent de la Vaissière shares a pragmatic vision. Interview with Sylvain Aubry: Head of AIFM for Carlyle on behalf of ALCO.
What are the most common challenges you see in implementing DORA in Luxembourg?
Beyond the prescriptive nature of the text, most of the challenges lie with IT providers. The difficulty stems from DORA’s very broad scope, which includes all IT services (including software), and not just traditional outsourcing. This generates time-consuming activities: maintaining the register of information, updating a large number of contracts, and managing human change with suppliers who are not always mature on the subject. The main factors that differentiate entities are not so much their type of license (bank, AIFM, etc.) as two other elements. The first is their level of IT pooling with the group (can we rely on our group?). The second is the size of the Luxembourg entity (do we have sufficient internal resources to absorb the load?).
Apart from suppliers, which aspects of DORA are most underestimated by organizations?
Two major elements: the principle of proportionality, which is a strategic approach, and exception management, which is a tactical approach. Proportionality is essential: it requires the institution to characterize itself (size, complexity, etc.) and define its internal governance in order to adapt its controls. Exception management, on the other hand, is crucial on a day-to-day basis; a formalized, documented, and auditable process is needed to manage and approve deviations. Both of these points require strong involvement from senior management. DORA is a real game changer in terms of management involvement in technology and cyber risk issues. DORA is a real game changer in terms of management involvement in technology and cyber risk issues.
Laurent de la VaissièreDORA is a real game changer in terms of management involvement in technology and cyber risk issues.
Now that the implementation deadline has passed, what is the real challenge for the future?
The challenge is to move from “project” compliance, often managed in Excel, to “industrialized” and sustainable management. The Register of Information (ROI) illustrates this point: it is not a one-off exercise; it must be kept up to date and can be requested by the CSSF at any time. Resilience must be firmly anchored in GRC (Governance, Risk, Compliance) processes. To achieve this, the use of dedicated technological tools is a worthwhile investment. They allow you to focus on data quality rather than technical formatting, while establishing a link with other third-party risk management (TPRM) processes.
