What is DORA?

Digital Operational Resilience for Financial Services

DORA creates a unified ICT risk management framework for the EU financial sector.

It applies to banks, insurance companies, investment firms, payment institutions, crypto-asset providers, and critically, their ICT third-party service providers.

In Luxembourg, this means entities supervised by the CSSF and CAA must demonstrate digital operational resilience across five pillars.

Five DORA Pillars

ICT Risk Management
Comprehensive framework for identifying, protecting, detecting, responding to ICT risks
Incident Reporting
Classification and reporting of major ICT-related incidents to authorities
Resilience Testing
Regular testing including threat-led penetration testing (TLPT)
Third-Party Risk
Oversight framework for ICT third-party service providers

Services

DORA Compliance Services

DORA Gap Analysis

Assess your current ICT risk management practices against DORA requirements. Identify gaps across all five pillars and prioritize remediation.

ICT Risk Framework

Design and implement an ICT risk management framework covering governance, risk identification, protection measures, detection, and response.

Resilience Testing Program

Establish a digital operational resilience testing program including vulnerability assessments, scenario-based testing, and TLPT preparation.

Third-Party Risk Management

Build an ICT third-party risk oversight framework. Contract review, concentration risk assessment, exit strategy planning.

Incident Management

Design incident classification, escalation, and reporting processes aligned with DORA's requirements and CSSF expectations.

Policy & Documentation

Develop ICT security policies, business continuity plans, information sharing agreements, and board-level reporting frameworks.

Scope

Who Must Comply with DORA?

Banks & Credit Institutions

All credit institutions authorized in the EU, including Luxembourg's banking sector supervised by the CSSF.

Investment & Fund Managers

Investment firms, AIFM, UCITS management companies, and central securities depositories.

Insurance & Reinsurance

Insurance undertakings, reinsurance undertakings, and insurance intermediaries supervised by the CAA.

Payment & E-Money

Payment institutions, electronic money institutions, and account information service providers.

Crypto-Asset Providers

Crypto-asset service providers authorized under MiCA regulation.

ICT Third-Party Providers

Critical ICT third-party service providers designated by European Supervisory Authorities.

Related

Complementary Services

NIS2 Compliance

DORA and NIS2 share common ground. We help you address overlapping requirements efficiently.

Cybersecurity Services

Security assessments, penetration testing, SIEM, IAM — the technical backbone of DORA compliance.

DevSecOps

Secure your software delivery pipeline — a key element of ICT risk management under DORA.

Is your financial entity DORA ready?

Let's assess your digital operational resilience and build a compliance roadmap.

Request DORA Assessment