Of the 389 financial entities that responded to the survey, only one considered itself fully ready for Dora, according to the results from Luxembourg’s financial regulator, the CSSF. Archive photo: Nader Ghavami

Of the 389 financial entities that responded to the survey, only one considered itself fully ready for Dora, according to the results from Luxembourg’s financial regulator, the CSSF. Archive photo: Nader Ghavami

With just over three months before full implementation, the Luxembourg financial regulator’s Dora readiness survey revealed that of the nearly 80% of financial entities that participated, almost 90% conducted a gap analysis and 71% reported feeling partially ready, highlighting significant ongoing compliance challenges.

The Digital Operational Resilience Act (Dora) is an EU regulation that took effect on 16 January 2023, with full applicability starting on 17 January 2025. To evaluate the final preparedness of financial entities in grand duchy, the Luxembourg Financial Sector Supervisory Commission (CSSF) a survey in September 2024. The findings, on Monday 7 October, revealed an overall perceived readiness score of 2.8, where a score of 1 indicates full readiness and 4 indicates lack of readiness, suggesting that most financial entities are facing significant challenges in meeting Dora compliance.

Dora aims to strengthen the information technology security of financial institutions, including banks, insurance companies and investment firms, to ensure that the European financial sector can remain resilient during severe operational disruptions.

The survey garnered strong participation, with 389 out of the 494 contacted entities responding, representing an approximate participation rate of 80%.

Gap analysis

The survey revealed that nearly 90% of the respondents had conducted a gap analysis to compare their current situation with Dora requirements. Those that performed the gap analysis generally covered all four essential topics outlined in Dora.

However, just over 10% of the entities reported being very late in their preparations and were advised to initiate their gap analysis and action plan without delay.

Among the respondents, credit institutions were found to be the most advanced, with over 97% having completed a gap analysis. Alternative investment fund managers (AIFMs) and management companies followed closely, with nearly 90%, while investment firms, payment institutions (PIs), and electronic money institutions (EMIs) ranged between 74% and 84%.

Perceived readiness level

In terms of perceived overall readiness, the average score across the entities was recorded at 2.8 on a scale where 1 indicated full readiness and 4 indicated a lack of readiness. This score suggested that while the market remained in a preparatory phase, it was making progress, said the CSSF.

Notably, 71% of entities considered themselves partially ready, a sentiment that was consistent across various types of entities. In addition, 23% of the entities felt mostly ready, while 6% did not perceive themselves as ready at all, with only one entity claiming full readiness.

The responses indicated a balanced readiness across different topics, except in the area of information and communication technology (ICT)-related incident management, which had a slightly better score of 2.5. This may have been attributed to the existing ICT incident management frameworks already aligning closely with Dora requirements, reasoned the CSSF. The survey also highlighted that between 30% and 53% of entities were fully or mostly ready in specific areas, with many still facing considerable work ahead.

Bottlenecks

The survey outlined several challenges encountered by entities in their Dora compliance efforts. Among the challenges proposed for selection were a lack of understanding of Dora requirements, resource shortages (including technical, human resources and budget), short timeframes for implementing Dora requirements and the complexity of coordinating efforts across groups.

Other challenges included the establishment of new governance structures, the need for a digital operational resilience strategy, mapping critical functions to information and ICT assets, aligning incident reporting processes, negotiating contracts with third-party ICT service providers and the unavailability of information necessary to complete the register of information.

Read also

Financial entities

The most critical challenges identified by the respondents were contractual negotiations with ICT third-party service providers, which affected 54% of the entities, followed by dependence on group coordination efforts (42%) and resource shortages (40%). Resource shortages were raised as a priority by nearly one in four entities (23%). Conversely, only 12% of entities highlighted the alignment of ICT-related incident reporting processes as a challenge, and 1% deemed understanding Dora requirements as a top priority, although 17% raised it as a priority overall.

Challenges by type of entity

When the findings were further analysed by type of entity, different challenges emerged. For AIFMs and mancos, contractual negotiations with ICT service providers were noted as the primary challenge, with 51% citing this issue, followed by dependence on group coordination (44%).

For banks and credit institutions, the same contractual negotiations were raised by 66%, while 49% cited dependence on group efforts. Shortage of resources was highlighted as a primary concern by 27% of banks.

Investment firms similarly identified contractual negotiations with ICT service providers as their top challenge, with 53% noting this issue and 18% prioritising it. In contrast, for PIs and EMIs, shortage of resources was the most significant concern, affecting 63% of entities and being raised as a priority by 47%.

The full analysis is available .

Related articles