One year into DORA: turning compliance into resilience

A sector moving from obligation to transformation

Opening the session, Andrey Martovoy (ABBL) and Isadora Pardo (ALFI) highlighted how the industry has progressed since January 2025. Beyond ticking regulatory boxes, DORA has become a catalyst for broader transformation in ICT governance, third-party management and operational preparedness.

This evolution was reflected in the panel discussion moderated by Michael Horvath (PwC Luxembourg), where André Roth (Edmond de Rothschild (Europe)), Ilker Tutu (PayPal Europe), Olga Frenkel (Franklin Templeton) and Grainne Goodman (M&G Luxembourg) shared practical insights from day-to-day implementation across their organisations.

The key messages were clear:

• DORA is driving tangible organisational uplift, particularly in documentation, contract management and ICT governance.
• The Register of Information remains one of the most demanding components, with data quality, tooling and group coordination emerging as the main hurdles.
• Firms are becoming increasingly aware of the significance of third-party dependencies, especially when dealing with global providers and complex subcontracting chains.

As one panellist put it: “DORA encourages us to take a more structured and comprehensive look at our operational resilience capabilities.”

Supervisory insights: from guidance to intensified supervision

The keynote address by Cécile Gellenoncourt (CSSF) set the tone for the year ahead. While financial entities have now completed DORA’s first reporting obligations — incident reporting, Register of Information submissions and ICT arrangement notifications — 2026 will be a year of closing remaining gaps and strengthening risk management frameworks.

The CSSF shared several statistics offering insight into the sector’s resilience landscape:

• 195 major ICT-related incident notifications were registered in 2025, including 24 later reclassified as non-major.
• High-impact incidents included DDoS attacks, a TARGET2 disruption, a major telecom outage in Luxembourg and the global AWS outage in October.

On the Register of Information, the supervisor’s message was unequivocal: data quality must improve significantly. Frequent issues included missing mandatory fields, inconsistent ESA codes and broken table dependencies. Submissions accepted in 2025 may be rejected in 2026 if such issues persist.

The CSSF stressed that the Register should be treated as a central risk-management tool, not an administrative formality.

What to expect in 2026

During the interactive Q&A with Kathrin Moules and Cristina Spinelli (CSSF), participants received clarity on upcoming priorities:

• Supervision will intensify, with proportionality duly considered.
• On-site visits are planned and will take a holistic view of organisational preparedness.
• Firms must prepare for non-traditional disruptions, including telecom failures and energy-related interruptions.
• The CSSF clarified expectations regarding Second Line of Defence involvement, alignment of critical and important functions, and how to handle contractual deadlocks with ICT providers unwilling to adopt DORA requirements.

Resilience as a shared responsibility

The closing message was both simple and powerful:

“DORA is not just a compliance exercise – it is about keeping your business running in both expected and unexpected circumstances.”

As Luxembourg strengthens its national cyber and resilience frameworks under NIS2 and the Critical Entities Resilience (CER) Directive), cooperation between the industry and the supervisor — clearly demonstrated once again at this year’s DORA Breakfast — will remain essential to safeguarding a robust and trusted financial sector.