DORA, digital resilience for the financial sector.

Who is concerned?

All financial entities in the broad sense: banks, investment firms, asset managers, UCITS, AIFs, EMIs, insurers and reinsurers, insurance intermediaries, crowdfunding platforms, crypto-asset service providers, central depositories, central counterparties, trading venues, credit rating agencies, data reporting service providers. And also: critical third-party ICT service providers (cloud, datacenters, key SaaS vendors).

Key obligations

• ICT risk management framework: governance, identification of critical assets, protection, detection, response, recovery, learning and evolution.
• Major ICT incident management, classification and notification: initial notification within 4 hours, interim report within 72 hours, final report within 1 month.
• Digital operational resilience testing: regular tests on critical systems and advanced tests (Threat-Led Penetration Testing, TLPT) every 3 years for significant entities.
• ICT third-party risk management: provider register, mandatory contractual clauses, exit plans, continuous monitoring, designation of critical providers with direct European supervision.

Deadlines

DORA has been applicable since 17 January 2025. No transitional phase. The CSSF issued application circulars in 2024 and has been conducting inspections since Q1 2025.

Sanctions for non-compliance

Heavy administrative sanctions: up to 1% of average daily turnover per day of non-compliance (capped at 6 months). For very large entities, this can be enormous. CSSF sanctions are cumulative with other sanctions (GDPR, NIS 2 where applicable).

How Luxgap helps

Our CISO mandate covers DORA's full scope, with a dedicated team for sector-specific requirements. Our business continuity plan is aligned with DORA and ISO 22301. We also run TLPT testing in partnership with accredited testers.