Luxembourg: Implementation and enforcement of the Digital Operational Resilience Act into Luxembourg law

In brief

On 2 July 2024, the Luxembourg law ("Law") implementing the new European framework for the effective and harmonized management of digital risks in the financial sector, namely the Digital Operational Resilience Act (DORA), was published in the Luxembourg official gazette. 

Like DORA, the Law will apply as of 17 January 2025.

The Law designates the Commission de Surveillance du Secteur Financier (CSSF) and the Commissariat aux Assurances (CAA) as the competent Luxembourgish authorities responsible for ensuring that DORA is applied by the in-scope entities subject to their supervision. The Law also authorizes these authorities to impose administrative sanctions and measures if DORA's provisions are violated, and establishes an appropriate system of sanctions and other administrative measures.

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.


Contents

Key takeaways 

DORA represents a significant step forward in enhancing the financial sector's digital operational resilience in Luxembourg and across Europe. 

As a reminder, DORA imposes new obligations on financial entities and certain information and communication technologies (ICT) service providers,1  requiring them to implement robust measures to manage and mitigate ICT risks, which rely on five pillars: 

  • ICT risk management and ICT governance. The first pillar concerns the adoption of a comprehensive ICT risk management framework and governance to address evolving digital risks. In particular, financial institutions shall ensure that their ICT documentation (procedures, policies, controls and tools) complies with DORA requirements. Moreover, the regulation explicitly requires that members of the financial entity's management body actively keep up to date with sufficient knowledge and skills to understand and assess ICT risks and their impact on the financial entity's operations, including by regularly following specific training commensurate to the ICT risk being managed. Furthermore, members of the management body must play an active and central role in steering and adapting to DORA the entity's ICT risk framework and overall digital resilience strategy.
  • ICT incident management and reporting. The second pillar concerns ICT incident management and reporting. Financial institutions shall use a streamlined procedure to log and classify ICT incidents and report major incidents to authorities. DORA also requires financial entities to voluntarily notify competent authorities about an important cyber threat.
  • Digital operational resilience testing program. The third pillar requires that financial institutions regularly perform assessments, such as vulnerability assessments, penetration testing and scenario-based exercises. All critical systems and processes will be put through rigorous and thorough testing by DORA to ensure that they can resist and recover from operational shocks.
  • Strategy for ICT third-party risk. Financial institutions are obliged to adopt and regularly review their strategy to assess the risks coming from ICT third-party service providers, including cloud computing services. The strategy for ICT third-party risk should include a policy on the use of ICT services supporting "critical or important functions" provided by ICT third-party service providers. In addition, financial organizations must make sure that their third-party providers meet the same demanding requirements for operational resilience. This involves carrying out due diligence, monitoring performance and making sure that contractual agreements have clauses that mandate compliance with DORA requirements.
  • Information and intelligence sharing. The fifth pillar provides for the possibility, on an optional basis, for financial entities to exchange information and intelligence about cyber threats, enhancing the financial sector's overall capacity to identify, respond to and reduce ICT risks.

In accordance with the Law, the CSSF and the CAA will be empowered to impose, within the limits of their respective powers, the following sentences on persons subject to their respective supervision if certain provisions of DORA are violated:

  • An injunction ordering the person responsible for the violation to put an end to the conduct in question and refrain from repeating it
  • The temporary or definitive cessation of any practice judged by the competent authority as contrary to the provisions of DORA
  • For a natural person, an administrative fine of EUR 5 million 
  • For a legal entity, an administrative fine of a maximum of EUR 5 million or up to 10% of the annual turnover total, according to the latest available accounts approved by the management body
  • A public statement specifying the identity of the person responsible and the nature of the violation, in accordance with Article 54 of DORA

In addition to implementing DORA, the Law transposes into Luxembourg laws Directive (EU) 2022/2556 of 14 December 2022, which amends specific European financial sector directives to implement digital resilience and ICT security requirements.

In this respect, the Law introduces targeted amendments to nine Luxembourg laws relating to the financial sector, such as the law of 5 April 1993 on the financial sector (as amended); the law of 10 November 2009 on payment services (as amended); the law of 17 December 2010 on undertakings for collective investment (as amended); the law of 12 July 2013 on alternative investment fund managers (as amended); and the law of 7 December 2015 on the insurance sector (as amended) in order to require that supervised entities integrate DORA requirements in terms of IT infrastructure into their organization.


1 DORA covers a wide range of financial entities, including credit institutions, investment firms, payment and electronic money institutions, central counterparties and trade repositories, authorized alternative investment fund managers, (re)insurance undertakings and intermediaries, and crypto-asset services providers. In addition, it also includes certain entities typically excluded from financial regulations. For instance, crowdfunding service providers or third-party ICT service providers (like cloud service providers and data centers) must follow DORA requirements.



Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.