Implementation Of EU Acts On Digital Operational Resilience (DORA) Into Luxembourg Law: New Requirements Upon Entities Of The Financial Sector

CMS Luxembourg


Active in the Grand-Duchy since 2011, CMS Luxembourg combine a deep understanding of the local market with the global overview of the CMS network. Our 70+ lawyers specialise in Banking & Finance, Corporate/M&A, Investment Funds and Tax but are also able to assist our clients on Commercial, Dispute Resolution, Employment, Capital Markets, ESG as well as Insurance matters.
On 13 June 2024, bill of law 8291 on digital operational resilience ("DORA") (the "Law") was voted by the Parliament.
European Union Finance and Banking
To print this article, all you need is to be registered or login on

On 13 June 2024, bill of law 8291 on digital operational resilience (“DORA”) (the “Law”) was voted by the Parliament.

The Law aims at (i) applying the rules set out in Regulation (EU) 2022/2554 on DORA for the financial sector (the “Regulation”) and (ii) implementing Directive (EU) 2022/2256 amending several EU directives as regards DORA for the financial sector (the “Directive”).

The Law punctually amends several Luxembourg laws, such as the law of 5 April 1993 on the financial sector, as amended (the “LFS”), the law of 10 November 2009 regarding payment services, as amended, the law of 12 July 2013 on alternative investment fund managers, as amended and the law of 7 December 2015 on the insurance sector, as amended.

Overall, the amendments add the requirement for relevant entities of the financial sector to ensure that information networks and systems are implemented and managed in accordance with the requirements of the Regulation.

More specifically, credit institutions must have robust internal governance arrangements that explicitly include networks and information systems (including the security and authentication of the means of transferring information) that are implemented, managed and used in accordance with the requirements of the Regulation to ensure, in particular, the continuity and regularity of the provision of services and the conduct of business. Credit institutions are further required to ensure that their emergency and business continuity plans to also include information and communication technology activities. Such plans are implemented, managed and tested in accordance with the Regulation.

Finally, the Law entrusts national competent authorities with the supervisory and investigative powers necessary to (i) carry out their duties, within the limits of the Regulation, and (ii) lay down an appropriate system of penalties, which entails amending the law of 16 July 2019 on the implementation of European regulations in the sector of financial services. Sanctions and other administrative measures include notably administrative fines of a maximum amount of EUR 5 million or 10% of the total annual turnover for legal persons.

The Law shall come into force on 17 January 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More