Publication of the Luxembourg DORA Law

Background

On 2 July 2024, the law of 1 July 2024¹ relating to DORA (DORA Law) was published in the Official Journal of Luxembourg. It will enter into force on 17 January 2025.

The DORA Law is part of the regulatory package adopted at European level on the digital operational resilience of the financial sector. It comprises two texts:

• Regulation (EU) 2022/2554², referred to as the “DORA” or “Digital Operational Resilience Act”, which is the main text in this regard (DORA); and
• Directive (EU) 2022/2556³.

Indeed, it has become clear at European level that the financial sector is increasingly dependent and interconnected with regards to information technology, whether with other entities in the sector or with third-party ICT service providers, which constitutes a significant risk factor. Before this regulatory package was adopted, there was a body of rules concerning information technology, but they were fragmented and scattered between different EU acts.

DORA consolidates these various standards into a single legislative framework, addressing gaps and removing inconsistencies. It sets out uniform rules to ensure financial entities can withstand, respond to, and recover from significant ICT disruptions. It includes standardized requirements for ICT risk management, major incident reporting, operational resilience testing, cyber threat information sharing, and third-party risk management. DORA also establishes a supervisory framework for critical third-party ICT service providers.

Directive (EU) 2022/2256 accompanies and supplements DORA by amending a number of directives to ensure consistency between the various texts. It is this directive that the DORA Law transposes into Luxembourg law, which also specifies the supervisory and investigative powers of the competent authorities and sets out an appropriate system of penalties to ensure compliance with DORA.

Adopting the Luxembourg DORA Law

While the provisions of DORA are directly applicable in the EU, the DORA Law implements DORA, transposes Directive (EU) 2022/2556 into Luxembourg law and amends the following Luxembourg laws (together, Laws) ensuring the inclusion of a cross-reference to DORA and reflecting, amongst others, the following changes:

• The law of 5 April 1993 on the financial sector, as amended:
• including reference to “the set-up and management of networks and information systems in accordance with DORA, as appropriate” and removal of reference to “control and security mechanisms for IT systems” in article 5;
• amending article 53-21 paragraph 2 to ensure CRR institutions have adequate emergency and business continuity policies and plans, including ICT business continuity policies and plans and ICT response and recovery plans for the technologies they use to communicate information in accordance with DORA to be able to continue their activities in case of serious disruption and limit any losses incurred.
  
  
• The law of 13 July 2005 on institutions for occupational retirement provision in the form of sepcavs and asseps, as amended:
• including reference to “the set-up and management of networks and information systems in accordance with DORA, as appropriate” in article 57-1.
  
  
• The law of 10 November 2009 on payment services, as amended:
• amending article 8 paragraph 1 o) to ensure that “recovery plans, as well as a procedure for regularly testing and reviewing the suitability of the response and recovery plans, as well as a procedure for regularly testing and reviewing the adequacy and effectiveness of these plans in done in accordance with Regulation (EU) 2022/2554”;
• a new section to paragraph 3 of article 105-2 was inserted to clarify that paragraph 1 of the article does not apply to payment services providers referred to in article 1 item 37(i),(ii),(iv),(vii),(viii) and 37(d).
  
  
• The law of 17 December 2010 on undertakings for collective investment, as amended:
• article 109 paragraph 1 a) has been amended to replace “IT security” with "safeguards in the field of electronic data processing, including networks and information systems that are set up and managed in accordance with DORA.”
  
  
• The law of 12 July 2013 on alternative investment fund managers, as amended:
• article 16 paragraph 2 has been amended to foresee a reference to “networks and information systems set up and managed in accordance with and managed in accordance with DORA.”
  
  
• The law of 7 December 2015 on the insurance sector, as amended:
• Including reference to “the set-up and management of networks and information systems in accordance with DORA, as appropriate” in articles 71 paragraph 2, second sentence and article 256-22 paragraph 6, second sentence.
  
  
• The law of 18 December 2015 on the insolvency of credit institutions and certain investment firms, as amended:
• inserting a new paragraph 4(a) in section B requesting for the digital operational resilience of the networks and information systems supporting critical functions and core business activities, taking into account major ICT incident reports and the results of digital operational of digital operational resilience under DORA.
  
  
• The law of 30 May 2018 on markets in financial instruments, as amended:
• replacing the reference to effective systems, procedures and mechanisms in place within article 7 with the requirement to “establish and maintain their operational resilience in accordance with the requirements set out in Chapter II of DORA.”
  
  
• The law of 16 July 2019 on the operationalisation of European regulations in the field of financial services, as amended:
• inserting a new chapter 4 (d) on the implementation of DORA including a reference to definitions under DORA for terms used in the chapter and listing the competent authorities with supervisory power and investigative power to monitor the application of DORA and issue administrative fines for any non-compliance by:
  (a) financial sector entities, being the Luxembourg Supervision Commission of the Financial Sector (Commission de Surveillance du Sector Financier – CSSF),
  (b) insurance sector entities, being the Luxembourg Supervisory Authority for the Insurance Sector (Commissariat aux Assurances – CAA)
• outlining the powers of the CSSF and CAA, including, amongst others:
• access to documents and data
• onsite inspections
• interviewing people to gather information
• taking appropriate measures to ensure compliance with DORA imposing administrative penalties, etc.
• listing the administrative sanctions and other administrative measures the CAA and CSSF can impose, including, amongst others:
• injunction ordering persons to cease the conduct in question
• temporary cessation of any practice deemed to be in breach of DORA
• fines of up to EUR5 million for natural persons and up to EUR5 million or up to 10% of total annual turnover for legal persons, whichever amount is higher
• public statement specifying the identity of the person responsible and the nature of the violation
• fines between EUR250 and EUR250,000 against those that obstruct the exercise of their supervisory and investigative powers, fail to comply with injunctions, provide incomplete or inaccurate information, etc.

Please get in touch with our IPT and Regulatory specialists for more information.

¹Law of 1 July 2024, amending the Laws (as defined herein) with a view to implementing DORA (as defined herein) and the transposition of Directive (EU) 2022/2556 (as defined herein).
²Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
³Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022, amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards the operational digital resilience of the financial sector (Directive (EU) 2022/2556).