EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Myth #1: DORA requirements are new.
DORA is indeed new but builds on existing European guidelines and frameworks. In Luxembourg, these guidelines have been transposed into specific circulars by the CSSF or the CAA. Luxembourg’s financial sector has integrated ICT risk management, third-party risk management, and resilience into its operations, laying a foundation for DORA compliance. DORA is also “Lex Specialis” as it will precede and prevail over all other regulations that have an overlap in similar domains. Entities within Luxembourg’s financial sector have largely adopted these regulations, and it’s evident that ICT risk management, third-party risk management, and resilience are fundamental characteristics ingrained in the entities and stakeholders of Luxembourg.
Myth #2: Compliance with DORA is the goal.
While the path to DORA compliance is ambitious, with detailed requirements outlined in Level 1 and Level 2 texts, some firms have underestimated the efforts to comply with DORA. We are convinced that DORA is an opportunity; a journey that firms should embrace to strengthen their operational resilience and benefit from the knowledge of experts. Firms should build a comprehensive DORA programme, prioritize critical and important functions, update ICT third-party contracts, and prepare the Register of Information.
Myth #3: Third Party Risk Management is limited to outsourcing.
While the CSSF Circular 22/806 provides a solid base for compliance, DORA extends beyond outsourcing. Financial entities must assess risks from all ICT third-party service providers, considering the criticality of services, the impact on continuity and the importance of the impacted function. This requires diligent contract reviews and a detailed Register of Information.
Myth #4: Operational Resilience Testing is already done through BCM testing.
DORA’s operational resilience testing goes beyond Business Continuity Management (BCM), encompassing the entire digital infrastructure. It requires proactive identification and mitigation of vulnerabilities. Critical Entities must engage in Threat-Led Penetration Testing (TLPT) to simulate and defend against sophisticated cyber-attacks. In essence, DORA’s operational resilience testing is a multi-faceted approach that ensures financial institutions are not just prepared to recover from disruptions but are also equipped to prevent and withstand them.
Myth #5: Non-compliance in January 2025 will be punished.
DORA will be directly applicable in Luxembourg, with the CSSF and CAA monitoring compliance. The Draft Law n°8291 outlines various administrative sanctions for non-compliance, including fines and public disclosures (administrative fines amounting to EUR 5,000,000 maximum for natural persons, and administrative fines amounting to EUR 5,000,000 maximum or to 10% maximum of the total annual turnover for companies). It is unlikely that exactly in January 2025 non-compliant financial entities will be immediately sanctioned. The competent national authorities (the CSSF and the CAA for Luxembourg) will consider the conducted effort, the proportionality principle and the developed roadmap to reach compliance.
In conclusion, financial institutions must focus on critical functions, leverage gaps for improvement, and develop a comprehensive DORA program to align with their Digital Operational Resilience Strategy. The proactive stance required by DORA ensures institutions are prepared not just to recover from disruptions but to prevent and withstand them, reinforcing the financial sector’s defenses against digital threats.
Summary
As the 17 January 2025 deadline for the Digital Operational Resilience Act (DORA) approaches, financial entities face challenges in compliance, often underestimating the effort required.