Articles, by our experts

Unpacking compliance, security and AI.

Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.

28 articles found · #dora

CSSF — DORA: ICT register due March 31, 2026; inventory is critical

The CSSF opened the DORA ICT register collection with stricter validations. Without an automated, reliable inventory/CMDB, submissions risk rejection and supply chain blind spots remain.

Italy: €100,000 fine against Lepida over LepidaID shortcomings

Italy’s DPA fined Lepida S.c.p.A. €100,000 for GDPR violations in managing LepidaID (>1.5M users). Transparency, data minimization, and excessive log retention were flagged.

CSSF — Ivanti EPMM: RCE exploited, mandatory DORA notification

On 10 February 2026, the CSSF warned of two actively exploited Ivanti EPMM RCEs (CVE‑2026‑1281/1340) and reminded firms that this constitutes a major ICT incident to notify (Circulars 25/893 and 24/847).

BSI v2.0 “Logging and Detection”: What It Changes for Your Logs and SIEM

In April 2026, BSI released v2.0 of its minimum standard “Protokollierung und Detektion.” Here’s how to align logging, detection, and investigation with NIS 2 and DORA, and meet ILR/CSSF expectations.

DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?

On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.

ENISA publishes its Cybersecurity Exercise Methodology (16 Feb 2026)

ENISA releases a comprehensive methodology and toolkit to design and run cyber exercises. Here is how to align it with DORA (Art. 24) and NIS 2 for robust compliance evidence.

CSSF 26/906: governance and DORA-grade immutable backups by June 30

CSSF 26/906 requires PSPs/EMIs to reassess governance and risk management by 30 June 2026. Immutable, isolated backups are the DORA-proof of ransomware resilience.

DORA — Third-country branches: ICT register due by June 30

DORA’s final stretch in Luxembourg: third‑country bank branches must submit their ICT register to the CSSF by June 30, 2026 at the latest. Here is how to get it done this week.

CSSF — Axios compromised (31/03/2026): EDR/XDR to detect and notify under DORA

The CSSF warns about the Axios supply‑chain compromise and reminds firms to notify a major ICT incident under Circular 25/893 (DORA). Here is how an EDR/XDR stack helps detect, contain, and notify on time.

ENISA 2026: Separate, tested backups aligned with DORA

ENISA updates its SME guide: backups separated from production, encrypted and end-to-end tested. How immutable, isolated vaults meet DORA Art. 12 and thwart ransomware.

CSSF 25/880 — the 2026 PSP ICT Assessment requires continuous VM

The CSSF opened the 2026 “PSD2 – PSP ICT Assessment” campaign: every PSP must submit an up‑to‑date ICT risk assessment via eDesk. Continuous vulnerability management aligns with NIS 2 Art. 21 and DORA Arts. 25–27.

Stryker: mass device wipe — why immutable, isolated backups are vital

After the remote wipe of tens of thousands of Stryker devices, immutable and isolated backup architecture is essential to recover quickly and demonstrate DORA compliance.

Page 1 / 3 Older →