Draft Law No. 8291 on the digital operational resilience of the financial sector

On 4 August 2023, the draft law No. 8291 (the "Draft Law") aimed at (i) implementing Regulation (EU) 2022/2554 of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011; (ii) transposing Directive (EU) 2022/2556 of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards the digital operational resilience of the financial sector; (iii) amending (a) the amended law of 5 April 1993 on the financial sector; (b) the amended law of 13 July 2005 on institutions for occupational retirement provision in the form of a SEPCAV and an ASSEP; (c) the amended law of 10 November 2009 on payment services; (d) the amended law of 17 December 2010 on undertakings for collective investment; (e) the amended law of 12 July 2013 on alternative investment fund managers; (f) the amended law of 7 December 2015 on the insurance sector; (g) the amended law of 18 December 2015 on the failure of credit institutions and certain investment firms; (h) the amended law of 30 May 2018 on markets in financial instruments; (i) the amended law of 16 July 2019 on the implementation of European regulations in the field of financial services, was submitted to the Luxembourg Parliament (Chambre des Députés).

The aim of Regulation (EU) 2022/2554, and incidentally Directive (EU) 2022/2556

The aim of Regulation (EU) 2022/2554 (commonly known as "DORA" or "Digital Operational Resilience Act"), and incidentally of Directive (EU) 2022/2556, is to harmonise and strengthen information and communication technology ("ICT") security requirements in order to achieve a high level of security and a high level of digital operational resilience across the financial sector.

Regulation (EU) 2022/2554 consolidates the different rules dealing with ICT risk in the financial sector and brings them together in a single legislative act to fill in the gaps and to avoid inconsistencies.

Directive (EU) 2022/2256 accompanies and complements Regulation (EU) 2022/2554 by providing for a series of targeted amendments to existing European directives in the field of the financial sector. These amendments are necessary in order to ensure, in the interests of legal certainty, that these sectorial directives are consistent with Regulation (EU) 2022/2554 as regards the application of digital operational resilience requirements that are currently scattered across the existing sectoral legislation.

Key points of Draft Law

As the provisions of Regulation (EU) 2022/2554 are directly applicable in the EU, the main purpose of the Draft Law is to give to the competent national authorities the responsibility of ensuring the application of Regulation (EU) 2022/2554. To give the supervisory and investigative powers they need to carry out their duties, their functions, within the limits defined by the said regulation, and to set an appropriate sanctions regime. To this end, the Draft Law amends the amended law of 16 July 2019 on the operationalization of European regulations in the field of financial services.

In addition to implementing Regulation (EU) 2022/2554, the Draft Law aims to transpose into Luxembourg law specific amendments to European financial sector directives relating to digital resilience and ICT security. The Draft Law thus makes a targeted adaptation of a series of national laws relating to the financial sector.