DORA implementation in Luxembourg

The Luxembourg law implementing certain aspects of the Digital Operational Resilience Act (DORA) and implementing Directive 2022/2556 has just been published. For the purpose of enforcing DORA, the CSSF and the CAA have now been given extensive supervisory and investigatory powers and can also impose heavy administrative sanctions and other measures in cases of violation of specific provisions of the regulation.

On 16 January 2023, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) entered into force, heralding a new era of digital operational resilience for the financial sector across the EU.

DORA will apply from 17 January 2025 and represents a pivotal step forward in consolidating and enhancing ICT risk management requirements for financial entities. It emphasises the importance of unified cybersecurity protocols to mitigate ICT-related risks and ensure robust operational resilience within the financial sector.

While DORA sets out a unified framework that is directly applicable in all EU Member States, there are several aspects where national legislation and regulatory actions are still needed to ensure implementation and enforcement.

To this end, bill of law 8291 was introduced in August 2023. It was exempted from the second constitutional vote on 25 June 2024 and has been published today. The new law of 1st July 2024 will enter into force on 17 January 2025 (Law of 2024).

The Law of 2024 also aims to implement Directive 2022/2556 of the European Parliament and of the Council of 14 December 2022 as regards digital operational resilience for the financial sector (Directive 2022/2556), which increases cybersecurity standards across EU financial directives to bring them into line with DORA.

Luxembourg implementation

The Law of 2024 implements Directive 2022/2556 into all existing domestic financial legislation (including the law of 5 April 1993 on the financial sector, as amended, the law of 12 July 2013 on AIFM, as amended, the law of 7 December 2015 on the insurance sector, as amended, etc.).

It also amends the law of 16 July 2019 on the operationalisation of European regulations in the area of financial services, as amended (Law of 2019) by designating the Commission de Surveillance du Secteur Financier (CSSF) and the Commissariat aux Assurances (CAA) as competent authorities to oversee and enforce DORA compliance among Luxembourg in-scope entities (article 46 of DORA). For the purpose of enforcing DORA, the CSSF and CAA have been granted extensive supervisory and investigatory powers (within the limits defined by DORA), which include:

  • Accessing and copying any documents or data in any format
  • Conducting on-site inspections and investigations
  • Calling on representatives of financial entities to provide explanations of relevant facts or documents and recording their responses
  • Interviewing any willing individuals to gather information pertinent to an investigation
  • Subject to judicial authorisation, requesting data traffic records from communication service providers and public network operators when there is a suspected violation
  • Referring information to the State prosecutor for criminal prosecution

The CSSF and the CAA can also impose administrative sanctions and other measures in cases of violation of specific DORA provisions (concerning, among others, their governance and organisation, risk management, response and recovery, testing, the implementation of key contractual provisions, etc.).

The sanctions can be imposed on the in-scope entity itself and also on the members of its management body, as well as other responsible individuals.

Indeed, while board members are generally liable for management errors, either by omission or by action, from a corporate law perspective, DORA insists specifically on the liability of board members and executives by placing a strong emphasis on the accountability of these parties with regard to ensuring their organisations’ digital operational resilience.

Specific administrative measures include:

  • An injunction ordering the person responsible for a violation to cease the relevant conduct and refrain from repeating it.
  • The temporary or permanent cessation of any practice deemed by the competent authority to be contrary to the DORA provision.
  • An administrative fine of up to EUR 5 million for individuals.
  • An administrative fine of up to EUR 5 million or 10% of the total annual turnover for legal entities, based on the latest available consolidated financial accounts.
  • A public statement specifying the identity of the person responsible and the nature of the violation (“naming and shaming”).

Decisions by the CSSF or the CAA under the Law of 2019 can be appealed within one month to the administrative court, which will judge the matter on the merits.

Read the Law of 2024 here