Criminal penalties
Digital Operational Resilience Act · UE 2022/2554
Criminal penalties
1. Member States may decide not to lay down rules for administrative penalties or remedial measures for breaches that are subject to criminal penalties under their national law.
2. Where Member States have chosen to lay down criminal penalties for breaches of this Regulation, they shall ensure that appropriate measures are in place so that competent authorities have all the necessary powers to liaise with judicial, prosecuting, or criminal justice authorities within their jurisdiction to receive specific information related to criminal investigations or proceedings commenced for breaches of this Regulation, and to provide the same information to other competent authorities, as well as EBA, ESMA or EIOPA to fulfil their obligations to cooperate for the purposes of this Regulation.
In Luxembourg, the implementation and enforcement of DORA fall to the CSSF (for banking and markets) and the Commissariat aux Assurances for insurance entities. The Luxembourg legislator has retained a pre-existing financial criminal framework (notably the law of 5 April 1993 on the financial sector and the Criminal Code for forgery and obstruction), so that false statements and obstruction of CSSF powers can be prosecuted criminally alongside DORA administrative sanctions. Cooperation between the CSSF and the public prosecutor is organised, giving concrete effect to the information sharing referred to in Article 52(2).
Luxgap practice: document every major ICT incident escalation in a timestamped tamper-proof register and separate CSSF communication from internal communication, so as never to weaken your position if a file shifts toward the Luxembourg prosecutor.