Agefi Luxembourg - décembre 2024

Décembre 2024 45 AGEFI Luxembourg Informatique financière ByOrianeKAESMANN,ResearchManager the LHoFT T he clock is ticking for finan- cial institutions across Eu- rope as the January 17th deadline (1) for theDigitalOperatio- nal ResilienceAct (DORA) com- pliance approaches.Aimed at fortifying the operational resilience of financial entities, DORAsets out strict requirements for ICT riskma- nagement, incident reporting, resi- lience testing, third-party risk oversight, andgovernance.With such a firmdeadline, the race to alignwith these regulations is on. At a recent industry conference, experts and leaders from Elvinger Hoss (2) , PwC Luxembourg (3) , Fundvis (4) , and Prox- imus (5) convened at the Luxembourg House of Financial Tech (6) (LHoFT) to tackle the practical hurdles posed by DORA. The discussions highlighted a range of complexities, from compiling comprehensive registers of ICT services to renegotiating contracts with third- party providers. Despite the daunting nature of these tasks, attendees empha- sised the transformative potential of DORA. Addressing these challenges head-on will allow financial institutions tomeet regulatory demands and ensure their operational resilience in an increas- ingly digital world. DORA’s Core Requirements The regulation introduces a comprehen- sive framework designed to fortify the digital resilience of financial institutions across the European Union. Centred on five key pillars, it addresses distinct facets of operational resilience, providing financial entities with a structured ap- proach to align and reinforce their oper- ational foundations. ICTRiskManagement ICT riskmanagement lies at the heart of DORA, requiring organisations to iden- tify, assess, and mitigate risks related to their information and communication technology. This involves comprehen- sive mapping exercises to pinpoint criti- cal functions and dependencies, a prerequisite for effective implementa- tion. Financial entitiesmust continuously monitor andupdate their risk controls to address evolving threats. Incident Reporting Timely incident reporting is a non-nego- tiable requirement. Organisations must havestandardisedprocessestoreportICT- related incidents to regulators promptly. Cleardocumentationandcommunication protocols are essential to demonstrate compliance and support the broader fi- nancial ecosystem’s resilience. DigitalOperational ResilienceTesting Resiliencetestingensuresthatfinancialin- stitutionscanwithstanddisruptions.Reg- ularlyscheduledtests,suchaspenetration tests, must be conducted at least every three years and aligned with real-world risk scenarios. These tests provide invalu- able insights into potential vulnerabilities and validate the effectiveness of existing controls. Third-Party RiskManagement Managing third-party risks is one of the more challenging aspects of the regula- tion. Financial entities must: -Updatecontractswithserviceproviders, prioritising intra-group agreements and major suppliers like Amazon Web Ser- vices (AWS) andMicrosoft. - Create a register of information detail- ing third-party dependencies and the criticality of their services. This process demands rigorous internal coordination complete with extensive external collaboration to collect and verify data. Governance andOversight Effective governance is a cornerstone of DORAcompliance. Organisationsmust: - Engage their boards in overseeing dig- ital resilience initiatives. - Regularly present dashboards tracking compliance progress and remediation plans. - Ensure that boards are aware of their accountability in meeting regulatory re- quirements. Pathways toAchieving Compliance With the January17thdeadline looming, financial institutionsmust adopt a struc- turedapproach. The following strategies focus on practical steps to meet regula- tory requirements effectively while ad- dressing key challenges. Prioritise Mapping and Register Creation The foundation of DORA compliance lies inconductinga comprehensivemap- ping exercise to identify all ICT services, their criticality, and dependencies. This step is essential beforeundertakingother compliance actions, as it informs all sub- sequent processes. - Critical FocusAreas: Ensure the identi- ficationof business-critical functions and their ICT dependencies. - Data Accuracy: Avoid skipping this step to save time, as inaccuracies here will lead to costly revisions later. Once the mapping is complete, organi- sationsmust create the Register of Infor- mation, a central repository required by regulators. This task involves collecting extensive details from internal sources and external providers. - Regulators will expect submissions in early Q1, and incomplete registers will not be accepted. - Even if the register isnot perfect, submit a robust first draft to demonstrate effort and readiness. Address Third-Party Dependencies Proactively Managing relationshipswith third-party serviceproviders is one of themost time- consuming aspects of this regulation. Fi- nancial institutions shouldadopt a tiered approach: - Intra-GroupAgreements First: Update internal agreementswithinyour organi- sation, as these require no external de- pendencies. - EngageKeyProviders: Prioritiseupdat- ing contracts with critical providers which often have pre-prepared DORA- compliant agreements. - Small and Medium Providers: These providers may lack preparedness for DORA, making it crucial to document your engagement efforts meticulously. Best practices includeusing standardised contract templates and documenting every communication to show your compliance efforts to regulators. Engage the Board and Document Ef- forts Board-level engagement is vital for maintaining momentum and account- ability: - Present dashboards at every board meeting to track compliance progress and remediation plans. - Highlight risks, gaps, and strategies for addressing outstanding issues. Regulators emphasise the importance of documenting all compliance efforts. From initial mapping exercises to third- party contract negotiations, keeping a detailed audit trail demonstrates com- mitment and ensures readiness for reg- ulatory scrutiny. Conclusion DORA compliance is a pivotal oppor- tunity to fortify operational resilience across Europe. While tight deadlines and complex requirements demand swift, strategic action, financial institu- tions can rise to the challenge by priori- tising key initiatives: mapping processes, updating registers, collabo- rating with third-party providers, and harnessing the right tools and expertise. Immediate engagement is essential; by embracing this regulation as a strategic advantage, financial institutions can fu- ture-proof their operations, earning the trust of regulators, stakeholders, and clients while navigating tomorrow’s challenges with confidence. Now is the time to act. 1)RowanArmstrong(02July2024)“EUDigitalOp- erational Resilience Act: Countdown to comply withtheJanuary2025deadline ”https://lc.cx/rc3crE 2 )https://elvingerhoss.lu/ 3 )https://www.pwc.lu/ 4 )https://fundvis.org/ 5 )https://www.proximus.lu/fr/index-en/ 6 )https://lhoft.com/ A Lunchtime Dialogue at the LHoFT Strategies of DORA ©Midjourney By Vincent WELLENS & Ottavio COVOLO, avocats à la Cour, NautaDutilh Avocats Luxembourg S.à r.l. T he clock is ticking for the entry into application of a number of upcoming regula- tions, such as theAI Act on 2 February 2025, (1) DORA on 17 January 2025, but the rest of the MiCAR pro- visions regarding crypto- asset service providers (“CASP”) will be first entering into application at the end of this year, on 30 December 2024 to- gether with the transfer funds regulation (“TFR”). With this date fast approach- ing, and recent news of CASP appli- cations needing more time to be processed, entities which were licensed under the cur- rent virtual asset service provider (“VASP”) regime are now turning to as- sessing the possibilities offered by the grandfathering provisions under MiCAR. The main Difference between VASP and CASP : Passporting The VASP regime, which originated by the FATF recommendation 15, and included by amendment of the lawof 12November 2004 on the fight against money-laundering and terrorism financing (the “ AML Law ”), was intended to give an initial reg- ulatory framework to entities looking to offer such services, albeit limited to AML/CTF matters. This regime however does not stem from a EU legal framework, and is a purely national in scope. (2) A VASP licence, offering evidence of the entity’s supervision by the CSSF, allows greater comfort to customers, especially for products targeting retail customers or consumers, as could often be the case with the larger names in the industry. Given the lack of any EU-wide legal framework, theVASP licence couldnot benefit fromthe advan- tages of EU law, including the principle of mutual recognition and the freedom of movement. These principles – and the cooperation mechanisms be- tween supervisory authorities - however underpin the passporting mechanism sought by non-EU firms to enter the EU market, where a licence in a member State authorises the entity to provide the same services in all other member States. The CSSF further confirmed in a Q&A on VASPs in August 2023 that no passporting is available, thus drawing VASPs and VASP candidates’ atten- tion to “ the registration as a VASP with the CSSF [being] without prejudice to any requirements applica- ble in the other countries where a VASP provides its ser- vices or intends to provide its services ”, before concluding that a VASPmust, therefore, assess the possibility to offer their services in each single member State they target. In comparison, the CASP regime stemming from MiCAR builds upon the definition of the VASP with similar services but most importantly stems from EU law and allows, under article 59(7) MiCAR, for the passporting of the resulting license within the EU. A CASP licensed in Luxembourg may therefore provide such services freely for instance to Ire- land without the need to meet any additional conditions, either through “ right of establishment, including through a branch, or through the freedom to provide services ”. With the end of the VASP regime, supervisory authorities in the EU have redirectedfirst timeVASP appli- cants to seek a CASP license directly earlier this year, with the CSSF making such announcement end of February 2024. The transitional Regime under MiCAR Article 143(3) of MiCAR provides that CASPs which “ provided their services in accordance with applicable lawbefore 30December 2024, may continue to do so until 1 July 2026 ”, i.e., an 18-month period. Member Statesmay however “ decide not to apply the transitional regime for crypto-asset service providers provided for in the first subparagraph or to reduce its durationwhere they consider that their national regula- tory framework applicable before 30 December 2024 is less strict than this Regulation ”. Recital 114 ofMiCARhowever nuances this reduc- tion or waiver should be used member States which “ do not, at present, have in place strong pruden- tial requirements for [CASP] currently operating under their regulatory frameworks ”. In a draft bill of law (n°8387), amending the AML Law to implement MiCAR, the Luxembourg leg- islator confirmed its intention to keep the MiCAR grandfathering clause in relation to theVASPs. The bill aims at removing theVASP regime, whilst pro- viding for a transitional regime in order to ensure that existing VASPs still comply with their obliga- tions under the AML Law should they not obtain a CASP licence on 30 December 2024. This transitional period, referred to as the “ grand- fathering clause ”, recognises the rights granted to certain entities in the past (i.e., the VASPs) for a pe- riodwell after the programmed end of such rights. The lackof passporting of the grandfathering? It follows from the above that existing VASPs will be allowed to keep providing their services autho- rised under their VASP license until 1 July 2026. Two consequences should however be drawn. First, services not covered by the existing VASP li- cence cannot be provided during this period, irre- spective of whether the entity is currently seeking a CASP licence for such out-of-scope services. Second, theVASP licence still does not benefit from any passporting. However, with MiCAR entering into application on 30 December 2024, so does the CASP licence requirement to provide the relevant services across the EU member State. A VASP in Luxembourg looking to provide services in the Netherlands will bemet with the requirement of a CASP licence, and thus precluded from the provi- sion of services. Thus, unlike the CASP license, the grandfathered VASP licence under MiCAR does not benefit from any passporting. One may wonder if it would not have been useful to extend the grandfathering provisions not only to a member State’s own existing actors, but also the actors found in other member States. In such circumstance, aVASP inLuxembourg could in the- ory benefit from a ‘soft’-passport of its grandfa- thered license across the EU. This will however require a common approach in each EU member State ; the Luxembourg legislator as a reference only provides the grandfathering for VASP licence holders with the CSSF. In the absence of such concerted action from the legislators, andgiven the overloadof case fileswith the CSSF, which nowhas to coordinate with other European supervisors, existing VASPs are now being stuck between a rock and a hard place: wait- ing for a CASP licence and continuing providing their services but only in Luxembourg. 1) To be noted that the provisions regardingAI literacy enter into application at that date, wherebyproviders anddeploy- ers ofAI systems shall takemeasures to ensure, to their best extent, a sufficient level ofAI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, through i.a. trainings onAI. 2) Not to be confused with the identically named VASP regime which exists in Ireland under the supervision of the Irish Central Bank. MiCAR and Grandfathering : Stuck between a Rock and a hard Place