Implementation of EU acts on digital operational resilience (DORA) into Luxembourg law: new requirements upon entities of the financial sector


On 13 June 2024, bill of law 8291 on digital operational resilience (“DORA”) (the “Law”) was voted by the Parliament.

The Law aims at (i) applying the rules set out in Regulation (EU) 2022/2554 on DORA for the financial sector (the “Regulation”) and (ii) implementing Directive (EU) 2022/2256 amending several EU directives as regards DORA for the financial sector (the “Directive”).

The Law punctually amends several Luxembourg laws, such as the law of 5 April 1993 on the financial sector, as amended (the “LFS”), the law of 10 November 2009 regarding payment services, as amended, the law of 12 July 2013 on alternative investment fund managers, as amended and the law of 7 December 2015 on the insurance sector, as amended.

Overall, the amendments add the requirement for relevant entities of the financial sector to ensure that information networks and systems are implemented and managed in accordance with the requirements of the Regulation.

More specifically, credit institutions must have robust internal governance arrangements that explicitly include networks and information systems (including the security and authentication of the means of transferring information) that are implemented, managed and used in accordance with the requirements of the Regulation to ensure, in particular, the continuity and regularity of the provision of services and the conduct of business. Credit institutions are further required to ensure that their emergency and business continuity plans to also include information and communication technology activities. Such plans are implemented, managed and tested in accordance with the Regulation.

Finally, the Law entrusts national competent authorities with the supervisory and investigative powers necessary to (i) carry out their duties, within the limits of the Regulation, and (ii) lay down an appropriate system of penalties, which entails amending the law of 16 July 2019 on the implementation of European regulations in the sector of financial services. Sanctions and other administrative measures include notably administrative fines of a maximum amount of EUR 5 million or 10% of the total annual turnover for legal persons.

The Law shall come into force on 17 January 2025.

For more information on the Regulation and the Directive, please refer to our previous eAlert “A new step in the adoption of the Digital Finance Package”.

Should you have any questions on the above, please do not hesitate to contact one of our experts of the regulatory team.