DORA: how mutualised audits can strengthen resilience while reducing costs

Luxembourg banks join forces to audit a critical ICT provider

As financial institutions continue to implement the Digital Operational Resilience Act (DORA), one challenge is becoming increasingly apparent: how to meet growing oversight requirements on critical ICT providers without multiplying audits, costs and operational burden.

A mutualised audit initiative coordinated by the ABBL offers a practical answer, allowing several institutions to assess a shared service provider through a single, coordinated exercise.

The challenge: stronger oversight without duplication

DORA has raised the bar for the management of ICT and third-party risks across the financial sector. Banks are expected to demonstrate robust oversight of the technology providers on which they rely for critical services.

While these requirements are designed to strengthen operational resilience, they can also lead to significant duplication. When several institutions depend on the same provider, multiple audits covering largely identical topics may be carried out independently, creating inefficiencies for both financial institutions and service providers.

Finding ways to achieve high levels of assurance while avoiding unnecessary duplication is therefore becoming an important operational and regulatory challenge.

A collective response to a common issue

To address this challenge, several Luxembourg financial institutions came together to conduct a mutualised external ICT audit of key LuxTrust services used across the sector.

The initiative was coordinated with the support of the ABBL and relied on the active involvement of a lead bank representing the participating institutions. This role proved essential in structuring the request-for-proposal process, consolidating expectations and ensuring that the audit reflected both operational realities and regulatory requirements.

The audit itself was entrusted to Wavestone, whose expertise in cybersecurity, operational resilience and financial-sector regulation provided an independent assessment of the services under review.

Alongside the participating institutions, LuxTrust played a central role by engaging in a single audit process covering areas of common interest to multiple clients.

One audit, multiple benefits

The initiative demonstrates how collaboration can transform a regulatory obligation into an opportunity for greater efficiency.

For participating institutions, the approach provides access to a common, high-quality audit framework while reducing duplicated effort. It also promotes a more consistent assessment of risks and controls across the sector.

For service providers, a mutualised audit offers a more structured way to respond to clients’ resilience and security expectations without being confronted with multiple separate reviews covering similar topics.

The involvement of an independent auditor also contributes to the credibility and consistency of the exercise, ensuring that participating institutions can rely on a robust and recognised assessment framework.

More broadly, the exercise contributes to stronger third-party risk governance and helps create a common understanding of resilience expectations among market participants.

A blueprint for future DORA initiatives

Beyond the audit itself, the project offers a model that could eventually be replicated for other critical ICT providers.

As DORA implementation progresses, mutualised approaches may become an increasingly valuable tool for balancing regulatory compliance, operational efficiency and sector-wide resilience. By pooling resources and coordinating efforts, financial institutions can obtain stronger assurance while reducing administrative burden.