← All laws

Compliance · Financial sector

DORA, digital résilience for the financial sector.

DORA (EU régulation 2022/2554) imposes a strict ICT risk management framework on EU financial entities. Applicable since 17 January 2025, it is directly binding (no national transposition needed). In Luxembourg, the CSSF is the supervisory authority.

Build my quote → Contact us
Luxgap explorer
Browse the 64 articles and the 106 recitals of the law, with Luxgap practical guidance
Browse articles → Browse recitals →

Who is concerned?

All financial entities in the broad sense: banks, investment firms, asset managers, UCITS, AIFs, EMIs, insurers and reinsurers, insurance intermediaries, crowdfunding platforms, crypto-asset service providers, central depositories, central counterparties, trading venues, crédit rating agencies, data reporting service providers. And also: critical third-party ICT service providers (cloud, datacenters, key SaaS vendors).

Key obligations

  • ICT risk management framework: governance, identification of critical assets, protection, détection, response, recovery, learning and évolution.
  • Major ICT incident management, classification and notification: initial notification within 4 hours, interim report within 72 hours, final report within 1 month.
  • Digital operational résilience testing: regular tests on critical systems and advanced tests (Threat-Led Penetration Testing, TLPT) every 3 years for significant entities.
  • ICT third-party risk management: provider register, mandatory contractual clauses, exit plans, continuous monitoring, désignation of critical providers with direct European supervision.

Deadlines

DORA has been applicable since 17 January 2025. No transitional phase. The CSSF issued application circulars in 2024 and has been conducting inspections since Q1 2025.

Sanctions for non-compliance

Heavy administrative sanctions: up to 1% of average daily turnover per day of non-compliance (capped at 6 months). For very large entities, this can be enormous. CSSF sanctions are cumulative with other sanctions (GDPR, NIS 2 where applicable).

How Luxgap helps

Our CISO mandate covers DORA's full scope, with a dedicated team for sector-specific requirements. Our business continuity plan is aligned with DORA and ISO 22301. We also run TLPT testing in partnership with accredited testers.

The DORA regulatory ecosystem, without the fog

DORA does not stand alone: it is a framework régulation completed by technical standards (RTS) and articulated with Luxembourg law. Here is the full map we master:

  • DORA is lex specialis for the financial sector: for the entities it covers, it prevails over NIS 2 on ICT risk management and incident notification (Article 1 DORA).
  • Penetration testing (TLPT): specified by Delegated Régulation (EU) 2025/1190, implemented in Luxembourg via the TIBER-LU framework (BCL + CSSF).
  • ICT subcontracting: specified by RTS (EU) 2025/532 on ICT services supporting critical functions.
  • Outsourcing: CSSF Circular 22/806, amended by CSSF 25/883 to align with DORA.
  • ICT third-party services: CSSF Circular 25/882 gives the CSSF's practical instructions.
  • ICT risk management: CSSF Circular 20/750, amended by CSSF 25/881.
  • Data breaches: articulation with the GDPR where an ICT incident exposes personal data (dual CSSF + CNPD notification).

Let's set up your DORA compliance.

Configure a quote for a CISO mandate for the financial sector. Reply within one business day.

Build my quote →