Recital 53

Recital 53

Digital Operational Resilience Act · UE 2022/2554

(53)

While all financial entities should be required to carry out incident reporting, that requirement is not expected to affect all of them in the same manner. Indeed, relevant materiality thresholds, as well as reporting timelines, should be duly adjusted, in the context of delegated acts based on the regulatory technical standards to be developed by the ESAs, with a view to covering only major ICT-related incidents. In addition, the specificities of financial entities should be taken into account when setting timelines for reporting obligations.

Luxembourg specificity
loi luxembourgeoise du 1er juin 2023 portant mise en oeuvre du reglement (UE) 2022/2554 (DORA)

In Luxembourg, notification of major ICT-related incidents under DORA is made to the CSSF via the eDesk portal, the competent authority designated by the law of 1 June 2023 implementing the DORA regulation. The CSSF has clarified in its application circular that the thresholds of Delegated Regulation 2024/1772 apply strictly, with no additional de minimis threshold for small entities, and that the initial notification must be submitted in French, English or German.

Luxgap practice: pre-configure your Incident Severity Engine with the CSSF eDesk templates and formally designate a CISO/Compliance Officer pair responsible for validating the qualification within 4 hours, with written traceability.