Impact of the new Dora Regulation on Luxembourg based Financial Institutions

OVERVIEW

DORA is the EU's most significant regulatory initiative on cyber security and operational resilience, affecting most financial entities. These entities must comply with the regulation by January 2025. The initiative aims to create a single set of regulatory and supervisory rules for digital resilience across all Member States. For Luxembourg-based financial entities, DORA will have an extensive impact on the organization beyond Information and Communication Technology (ICT). The rules differentiate between outsourcing critical or important business processes (BPO) and "pure" ICT outsourcing, requiring organizations to have clear control and monitoring processes for outsourced activities. Additionally, DORA reinforces the European Banking Authority's (EBA) Guidelines on ICT and security risk management, emphasizing executive-level accountability for regulatory compliance, change management, critical outsourcing control and monitoring processes, and business continuity management (BCM).

DORA’S WIDE SCOPE

The scope of DORA covers financial entities operating in the EU, including credit institutions, payment institutions, investment firms, electronic money institutions, crypto-asset service providers, central securities depositories, managers of alternative investment funds, management companies, and insurance and reinsurance undertakings.

NEXT STEPS?

As the regulation will become applicable on 17 January 2025, all in-scope entities have 24 months from the publication in the EU Official Journal (27 December 2022) to comply with all requirements. In order to ensure compliance, it is essential that all relevant stakeholders and the management body will have the ultimate responsibility for complying with DORA.

A set of Regulatory and Implementing Technical Standards (RTS and ITS) will be issued in the upcoming months to facilitate the implementation of the DORA. In this context, we recommend firms to conduct a DORA gap analysis and start the design of an enhanced operational resilience framework as soon as possible.

DORA MAIN AREAS OF IMPACT

1. Third-party risk management – financial entities need to ensure the thorough assessment of risk arising from ICT third-party service providers contractual agreements. Contractual agreements reached between financial entities and ICT third-party service providers will be regulated by DORA. When these agreements relate to crucial or significant business processes of a financial entity, further layers of contractual requirements will be required.
2. ICT related incident management, classification and reporting requirements – financial entities will have to carefully consider how to incorporate these rules into their existing reports, including those that result from the General Data Protection Regulation and, for some crucial regulated professionals, from the Luxembourg Act of May 28, 2019, which transposes the "NIS" EU Directive.
3. Digital operational resilience testing framework –ICT tools and systems will be tested by financial entities’ internal or external independent parties. Moreover, advanced testing by means of threat-led penetrating testing will be mandatory to be carried out by financial entities in order to simulate cyber-attacks.
4. Governance and ICT risk management regulatory requirements –requirements – financial entities will need to ensure they have a thorough ICT risk management framework as well as the required documentation of their digital operational resilience strategy.

HOW WE CAN HELP YOU WITH DORA

Avantage Reply can help financial institutions comply with the DORA regulatory requirements by leveraging our expertise in IT risk management, outsourcing, operational risk and operational resilience. Our teams have a successful track record in supporting clients with risk assessments of their IT processes and implementing controls in order to mitigate risks. We have helped a multitude of clients in understanding operational resilience regulatory requirements and implementing them by adapting internal processes and procedures and/or developing new solutions to achieve full compliance.

More information about outsourcing regulatory developments at the European level here