April represents a key moment in the deployment of the Digital Operational Resilience Act (Dora). As part of the new European regulation (aimed at strengthening the digital operational resilience of financial entities in the face of cyber threats and ICT risks), the institutions concerned must keep an up-to-date register of information relating to all contracts for ICT services provided by third-party service providers. They must send this register to the Luxembourg Financial Sector Supervisory Commission (CSSF) . The CSSF must then submit it to the European authorities by 30 April.
Contacted for an update, the CSSF declined to comment, citing “a particularly heavy workload.” This is an indication of the difficulties encountered by the financial centre in implementing Dora, which has experienced a number of delays since the text came fully into force on 17 January 2025.
“Whilst there is no quantified estimate of delays across the entire banking sector in Luxembourg, it is fair to say that a number of institutions have encountered challenges in meeting the timeline, particularly in areas where the regulatory technical standards (RTS/ITS) were finalised very close to the 17 January 2025 application date,” says the Luxembourg Bankers’ Association (ABBL). "However, most credit institutions in Luxembourg have invested significant resources in their Dora readiness and were already working on compliance well ahead of the deadline.”
Many bottlenecks
In general, explains the ABBL, “smaller institutions, including some investment firms and specialised service providers, may face more challenges due to limited internal resources and greater dependency on third-party ICT providers. Larger institutions, whilst often better resourced, are dealing with the complexity of group-level compliance across multiple jurisdictions, which can also be demanding.”
Among the main bottlenecks causing delays, the banking association cites:
- navigating the interplay of Dora with other existing ICT frameworks at the EU level, ;
- mapping and documenting ICT assets and third-party providers for the register of information;
- updating outsourcing contracts to comply with article 30 of Dora;
- establishing or aligning internal frameworks for incident classification, reporting and risk testing; and
- clarity around subcontracting chains and proportionality of oversight requirements.
The volume, granularity and complexity of the information required for the register of information pose a challenge.
“The subcontracting framework remains an additional area of uncertainty for financial institutions. The European Commission has just recently adopted the delegated regulation specifying the key elements that financial entities must assess when subcontracting ICT services supporting critical or important functions,” adds the ABBL. “This delay adds to the complexity of Dora compliance efforts, especially in the area of third-party risk management.”
The financial institutions represented by the ABBL finally point out that “the volume, granularity and complexity of the information required for the register of information pose a challenge. Identifying all relevant ICT services, classifying them, and associating them with critical or important functions--whilst ensuring data consistency--is a resource-intensive process, especially for institutions with large or decentralised IT environments.”
Funds: three types of difficulty
As far as investment funds are concerned, three main types of difficulty in achieving compliance have been identified. The first concerns certain service providers who consider that they are not affected by Dora, believing that they do not offer critical services. “It is not up to the service provider to judge its criticality, but up to the management company to assess it, based on its own processes and using a risk-based approach,” says Isadora Pardo, senior VP of industry affairs at the Association of the Luxembourg Fund Industry (Alfi).
Another problem identified by both the ABBL and Alfi is the unique identification of service providers via the legal entity identifier (LEI). This international code enables each legal entity to be reliably identified, which is an essential condition for grouping and cross-referencing the information records transmitted by the various financial entities. “Some service companies don’t have an LEI and are dragging their feet to obtain one because it involves an administrative process,” stresses Pardo. “But it’s essential: Dora’s aim is to identify the service providers most in demand at European level in order to strengthen prudential supervision and prevent systemic risks.”
The third difficulty concerns contracts: the contractual terms and conditions with ICT suppliers need to be updated and entered in the information register. “In 80% of cases, this goes well. But the remaining 20% take up 80% of the time, with long and complex negotiations.”
The industry is used to large-scale data collection exercises, such as the regulation on the publication of sustainability information in the financial services sector (SFDR)
As for the substantial volume of data to be processed, it did not represent a particular source of difficulty for the Luxembourg fund industry. “The industry is used to large-scale data collection exercises, such as the regulation on the publication of sustainability information in the financial services sector (SFDR) or the annual audit and compliance reports. It’s an additional burden, certainly, but not an insurmountable obstacle,” adds Pardo.
Subcontracting chains can, however, complicate the task. “When an ICT supplier itself calls on other critical service providers, all this information must be traced and included in the register. This can be more complex in the event of last-minute changes, but this is one of the dimensions that the industry has been able to anticipate.”
Insurers are going further
In implementing Dora, not all sectors are starting from the same level, says Pardo. “Banks, thanks to the guidelines issued by the European Banking Authority (EBA), were already fairly close to the target framework. Management companies, a little less so, but in Luxembourg, circular 22/806 enabled them to prepare. It is for insurers that the step is the highest.”
Aca, the association of insurers and reinsurers established in Luxembourg, states that “insurance companies have been working for several months on the implementation of Dora. The measures required to comply with the regulation are substantial and require the commitment of many resources.” The Dora information register must be sent to the Commissariat aux Assurances (CAA) by 18 April at the latest.
“Preparing the data is tedious work, requiring the collection of a large volume of data. And the complexity of the file made available by the European authorities is an additional source of difficulty,” says Aca. “We have no specific information about any delays by companies in implementation and are therefore not in a position to communicate on this subject.”
(What is the CSSF’s approach to Dora? This subject will be covered in more detail in a second article.)
This article was originally published in .