Companies in the financial sector will have to abide by the EU’s Digital Operational Resilience Act (DORA), fully applicable from 17 January 2025. The CSSF has acted ahead of time, and the law will create more demand for high-tech firms, says Marie-Paule Gillen, partner at law firm DSM Avocats à la Cour.
Are companies preparing themselves seriously for DORA?
I think they are, and that’s what I see from my clients and contacts. Everyone in the industry is at least familiar with it and knows that they had two years to prepare themselves as of the publication of the act in January 2023, and they will have until January 2025 to be entirely on track.
What is the level of readiness in the Luxembourgish financial ecosystem?
A positive remark for Luxembourg is that at a very early stage, the CSSF increased its requirements for outsourcing services in the financial sector. And so, the high-tech firms were already prepared to meet a good deal of these requirements years ago. The last outsourcing circular dates back to April 2022 and is very precise on ICT (Information and Communications Technology), outsourcing non-cloud and cloud. As we are a long-established international financial centre and cyber security is crucial for businesses, the CSSF was very demanding on these topics already at a very early stage.
This new system of reporting and exchange of information about incidents, which will spread at a European level, is a very interesting topic. The exchange of information will allow new possibilities to prevent cyberattacks and mitigate cyber risks. You share your bad experiences, but also the reason why you had a bad experience, and you can make others profit from this experience.
What can companies win from DORA?
Surely, they will have a lot to win because the financial entities will need skilled and state-of-the-art ICT service providers. There will be a high demand for their services and not every kind of service, but really the highest quality of services. They will have to work hard to prepare themselves and to equip themselves at a high-class level. And by doing that, they will allow themselves to serve adequately the financial entities and meet the newer needs of their clients.
“I really don’t see that they will just adopt a “tick the box” attitude because the challenges are too high.”
Marie-Paule Gillen, partner at law firm DSM Avocats à la Cour
What are the biggest legal hurdles or obstacles that entrepreneurs need to keep in mind about Dora?
The financial entities subject to DORA will take great care of having very competent and technologically advanced ICT service providers. They will have heavy requirements on those third-party service providers. Probably, most of them will have to be authorised by the CSSF as support PFS (professionals of the financial sector).
Is cybersecurity a big point of focus for your clients and fintechs in particular?
Yes, definitely. You cannot afford to have a third-party service working for a financial entity without meeting perfectly all the legal requirements. If they don’t bring clear evidence that they are very skilled and at the right level to provide full cybersecurity in their services, they will not be accepted.
Will financial entities’ efforts to comply with DORA lead to having a stronger relationship with their ICT providers?
For sure. They have to have stronger links with the service providers, and they will have to have oversight on how they are organised, their internal governance, their internal organisation, what tools they use, and how they can ensure that the requirements on cybersecurity are met. Actually, it is a requirement of DORA that they exercise close oversight of the ICT supporting critical functions provided by third-party providers and that they keep a close eye on these third-party service providers.
Is there a risk of financial entities or ICT service companies complying with the regulations just for the sake of it and not enacting any real change?
Personally, I really don’t see that they will just adopt a “tick the box” attitude because the challenges are too high. There are also sanctions if you do not comply, and incidents will have to be reported. If incidents happen and they fail to properly report them, the sanctions will be there, and they are heavy. Issues related to reputation are there too.
This article was first published in the Silicon Luxembourg magazine. Read the full digital version of the magazine on our website, here. You can also choose to receive a hard copy at the office or at home. Subscribe now.
