Financial Crime World

Luxembourg Takes Significant Step Forward in Enhancing Financial Sector’s Digital Operational Resilience with New Banking Regulations

Luxembourg has introduced a new banking regulation, known as DORA (Digital Operational Resilience Act), aimed at bolstering the financial sector’s digital operational resilience. This legislation represents a significant enhancement to the sector’s digital risk management framework and aims to better equip financial institutions to navigate the ever-evolving digital landscape.

Key Provisions of DORA

  • Financial entities are required to implement robust measures to manage and mitigate information and communication technology (ICT) risks.
  • Adoption of a comprehensive ICT risk management framework and governance structure is mandatory.
  • Regular training for members of the management body on ICT risk assessment and mitigation is required.

Five-Pillar Approach to Digital Operational Resilience Testing

  • ICT incident management and reporting
  • Vulnerability assessments
  • Penetration testing
  • Scenario-based exercises
  • Strategy for ICT third-party risk

Requirements for Financial Institutions

  • Adopt a strategy for assessing the risks posed by ICT third-party service providers.
  • Regularly review and update this strategy.

Sanctions for Non-Compliance

  • Injunctions
  • Temporary or definitive cessation of practices
  • Administrative fines
  • Public statements

Transposition into Luxembourg Law

DORA transposes into Luxembourg law Directive 2022/2556, which amends specific European financial sector directives to implement digital resilience and ICT security requirements.

Impact on Financial Sector

The new regulations introduce targeted amendments to nine Luxembourg laws relating to the financial sector, requiring supervised entities to integrate DORA requirements into their organization. The Law applies to a wide range of financial entities, including:

  • Credit institutions
  • Investment firms
  • Payment and electronic money institutions
  • Central counterparties
  • Trade repositories
  • Authorized alternative investment fund managers
  • (Re)insurance undertakings and intermediaries
  • Crypto-asset services providers

Conclusion

The introduction of DORA represents a significant step forward in enhancing the financial sector’s digital operational resilience in Luxembourg and across Europe. The new regulations are designed to better equip financial institutions to navigate the evolving digital landscape and reduce the risk of ICT-related incidents.