DORA Compliance: a continuous journey

EU Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) came into effect on 16 January 2023 and has been fully applicable since 17 January 2025. Financial entities within DORA’s scope have had two years to implement its requirements and the Luxembourg financial market has been actively preparing since 2023, as highlighted in CSSF DORA Readiness Survey published in October 2024.

The next major milestone is approaching fast: the first submission of the DORA Register of Information (RoI) to the CSSF, covering all contractual arrangements on the use of ICT services provided by ICT third-party service providers. Financial entities are required to submit their RoI to the CSSF between 1 and 15 April 2025 via the eDesk platform. However, financial entities are still in the process of implementing DORA and will need to continue their efforts beyond 15 April 2025.

Key challenges and recent developments

1. Clarification of “ICT Services” under DORA

On 22 January 2025, the European Supervisory Authorities (ESAs) released long-awaited guidance from the European Commission (EC) clarifying the definition of an "ICT service" under DORA:

• If a financial entity provides to another financial entity ICT services in connection to its financial services, these related ICT services may be considered to predominantly be financial services rather than ICT services under DORA, subject to certain conditions.
• Conversely, ICT services independent from regulated financial services—even when provided by a regulated financial entity— should be considered ICT services under DORA.

This clarification helps financial institutions finalise their ICT service mapping and potentially exclude certain services such as platforms provided by a Luxembourg central administration or SaaS tools used by a delegated portfolio manager and made available to the financial entity.

2. RTS on Subcontracting: latest Updates

On 22 January 2025, the EC rejected the draft RTS on subcontracting ICT services supporting critical or important functions (RTS on Subcontracting), as certain provisions exceeded the ESAs’ mandate—particularly Recital 5 and Article 5, which required financial entities to monitor the full chain of ICT subcontractors.

On 7 March 2025, the ESAs accepted the EC’s amendments, and an updated version of the RTS on subcontracting (without Recital 5 and Article 5) will be published soon.

For financial entities:
•    If you have already updated your DORA contractual framework, there should be no major impact.
•    If your agreements are still under negotiation, ICT third-party service providers may revise their DORA addendums to remove these specific obligations—potentially leading to delays.
Even though subcontractor monitoring clauses are no longer required, financial entities must still assess how long and complex subcontracting chains may impact their ability to monitor critical functions (Article 29(2) of DORA), and having a view on the ICT supply chain remains important where necessary to complete the RoI.

How we can help

Are you facing challenges in implementing the DORA framework? Have you updated your ICT risk management framework, policies and procedures to align with DORA requirements? Are you struggling to negotiate DORA clauses with ICT third-party service providers?

Our dedicated team is here to help you:
•    Implement DORA requirements efficiently and pragmatically, while ensuring compliance with regulatory expectations.
•    Review and update your ICT risk management framework, policies and governance framework.
•    Support your negotiations with ICT third-party service providers.

Let’s ensure your organisation is DORA-compliant. Contact us to discuss how we can support you.