DORA Regulation – reminders and advice on preparedness

As the application of DORA on 17 January 2025 is approaching, the ESAs published today a short joint statement aiming at addressing requests from Financial Entities who seek greater clarity on the expectations of the supervisory community towards the financial entities as the application of DORA approaches. The publication, which can be accessed via the following links, aims to highlight the pragmatic and proportionate approach to be taken:

The CSSF also reminds the Financial Entities which will fall under the DORA Regulation of the following aspects:

Under DORA Regulation Financial Entities are required to have an LEI code to be able to provide certain reporting. This requirement can be found, in particular, in certain level 2 texts (for example in ITS on the register of information, RTS/ITS related to reporting of major ICT-related incidents). The CSSF therefore advises Financial Entities which do not have an LEI code yet to proceed with the procurement and activation of an LEI code to be able to fulfil the requirements under DORA as from 17 January 2025.
Starting from 17 January 2025, Financial Entities are required to notify the CSSF of any major ICT-related incidents according to the requirements set up under the respective level 2 texts of DORA. This reporting will have to be performed via the eDesk platform, following the process already in place for reporting of incidents under Circular CSSF 24/847. The CSSF therefore requires the Financal Entities to proceed with creating the specific eDesk role of “IT Incident Notifier” that will have to be used to notify the related incidents via eDesk if they haven’t created it yet (please refer to the dedicated procedure “Major ICT-related incident notification” available on the CSSF eDesk Portal (edesk.apps.ccsf.lu)). The creation of the eDesk role of “IT Incident Notifier” before the 17 January 2025 is essential for Financial Entities to be able to comply with DORA requirements.
Regarding Article 28.3 of the DORA Regulation requiring Financial Entities to inform the competent authority about “any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important”, the CSSF would like to remind the following:
- Previously notified ICT outsourcing arrangements under circular CSSF 22/806 are not required to be re-submitted in the context of DORA.
- Contractual arrangements on the use of ICT services already in place prior to 17 January 2025 and which have not been notified under circular CSSF 22/806 because they do not qualify as a critical or important ICT outsourcing under the aforementioned circular, these are also not required to be submitted as notifications to the CSSF, however they need to be listed in the Register of Information.

Further details on how to submit the new notifications under DORA after DORA entry into application will be provided in the coming weeks.

The CSSF also draws the attention of the Financial Entities to the ESA’s announcement of the timeline to collect information for the designation of critical ICT third-party service providers under DORA which can be accessed here (EBA/ESMA). This announcement specifies among others the date of the submission of the first register of information by competent authorities to the ESA being 30 April 2025, and the list of validation rules that will be used by the ESA when analysing the received registers of information. The CSSF will communicate in the coming weeks on the date by which Financial Entities will be required to submit their registers of information to the CSSF to allow the CSSF to further transmit them to the ESA by 30 April 2025. By providing their complete register on an annual basis, Financial Entities will comply at the same time with Article 28.3 of DORA regulation requiring them to “report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.”

Financial Entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 Dry Run exercise, are invited by the ESA to take part in a virtual information workshop on 18 December 2024. Interested parties can register by 16 December 2024 using the following link.

Finally, the CSSF would like to inform Financial Entities that the ITS on the Register of Information were published in the Official Journal of the EU this week.

Name	Description	Duration
cssf_cookies	Saves information regarding the user's consent to the use of cookies for each optional category.	1 year
ROUTEID	Technical cookie allowing load distribution.	Deleted when the browsing session ends
TBMCookie*	Security: This cookies protects the website against automated attacks.	Deleted when the browsing session ends
__utmvc	These first party cookies are set by a third party service to filter out malicious requests.	Deleted when the browsing session ends
__utmvm*	These first party cookies are set by a third party service to filter out malicious requests.	15 minutes

Name	Description	Duration
cssf_profile	This cookie adapts the website pages to the profile chosen by the visitor (professionals, markets, consumers).	1 year
pll_language	This cookie saves the user’s language choice.	1 year

Name	Description	Duration
_pk_id.#	Collects anonymous statistical data on the website consultations, such as the number of visits or the average time spent on the website. The data is processed in-house and is not shared with a third party.	1 year
_pk_ses.#	Collects anonymous statistical data for the tracking of the pages consulted during the browsing session. The data is processed in-house and is not shared with a third party.	30 minutes