17/01/25

Entry into application of DORA today

On 15 January 2025, the CSSF published a communiqué as a reminder of the entry into application of the Digital Operational Resilience Act (DORA) and its underlying regulatory technical standards and implementing technical standards, as published in the Official Journal of the EU from 17 January 2025.

DORA represents a pivotal step forward in consolidating and enhancing ICT risk management requirements for financial entities. It emphasises the importance of unified cybersecurity protocols to mitigate ICT-related risks and ensure robust operational resilience within the financial sector.

Key points

  • DORA precedence: DORA requirements will override any overlapping elements in the existing CSSF circulars related to:
    • ICT and security risk management (CSSF 20/750),
    • ICT outsourcing (CSSF 22/806), and
    • ICT-related incident reporting (CSSF 24/847)

      Provisions of these circulars that are not related to DORA remain applicable in their current form.
  • Preparation for reporting obligations: Financial entities must ensure they have a valid LEI code to be able to submit their required reporting and assign the specific eDesk role of “IT incident notifier” to fulfil these obligations as of 17 January 2025.
  • Register of information (ROI) submission deadline: Financial entities are required to submit a ROI in relation to all contractual arrangements on the use of ICT services in CSV format through eDesk between 1 April and 15 April 2025. The information in the ROIs will be verified and if errors are detected, the submitting financial entity will be asked to fix the detected errors and re-submit its register before 30 April 2025. The ESAs will perform additional checks throughout May 2025. If they detect additional errors and thus refuse the register on their side, the submitting financial entity must fix the detected errors and re-submit its register to the CSSF, which will then send the re-submitted register to the ESA.
  • Outsourcing for reporting purposes: Financial entities that outsource incident reporting must provide the CSSF with the relevant third party’s details in advance. Aggregated reporting by third parties is not currently permitted.
  • Weekend and bank holiday reporting: While the RTS specify that most financial entities may be exempted from reporting major incidents on weekend days or bank holidays, certain financial entities will nevertheless be required to report major ICT-related incidents during weekends and holidays. Affected entities will be informed of this by the end of February 2025.
  • No ESA tools for ROI generation: The ESA will not provide tools or scripts for generating registers of information, as they did during the dry run exercise.
dotted_texture