On 14 January 2025, the Commissariat aux Assurances (CAA) published Circular Letter 25/1 (Circular Letter), which provides helpful practical guidance on certain aspects of implementing the Digital Operational Resilience Act (DORA).
On 14 January 2025, the Commissariat aux Assurances (CAA) published Circular Letter 25/1 (Circular Letter), which provides helpful practical guidance on certain aspects of implementing the Digital Operational Resilience Act (DORA).
Background
As of 17 January 2025, DORA applies to insurance and reinsurance companies, intermediaries, and ancillary insurance intermediaries (Entities). The CAA is Luxembourg's competent authority to supervise the latter's compliance with DORA.
Key considerations
The Circular Letter provides valuable insights with regard to the CAA's expectations for incident reporting and information registers:
Reporting of major ICT incidents
As of 17 January 2025, Entities must report any major ICT-related incidents to the CAA.
The Circular Letter specifies that these incidents must:
- be reported by using the templates annexed to the Circular Letter, which may initially be in either Excel or JSON format, but in the medium term, must take JSON format.
- be submitted to the CAA at email address dora@caa.lu during the first transition phase. However, as of March 2025, Entities will be required to use the newly introduced "Dora Incident Reporting" (DIN) reporting template that the CAA has added to its reporting system (Conventions de nommage pour les reportings au CAA).
Register of information
National competent authorities must provide the European Supervisory Authorities with registers of information so as to identify critical ICT service providers.
For these purposes, the Circular Letter specifies that:
- by 18 April 2025 at the latest, Entities must submit their
registers of information to the CAA via SOFiE/eFile by using the
new reporting template "DORA Register of
Information".
The reference date for the first reporting is 31 March 2025, while the reference date for subsequent years is 31 December. - the technical format to be used for submission to the CAA will
be a package of JSON and CSV files, which should be included in a
zip archive.
Entities should consult the EBA website for further detail on the elements needed to complete the information register declaration and refer to the ITS included in the Commission Implementing Regulation 2024/2956 for information on the standard templates for the register of information.
To read the CAA Circular Letter 25/01
To read related EIOPA guidance on DORA
To read related EBA guidance on DORA
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
