Support PSFs: Ahead of the Curve on DORA

17 January 2025

As of 17 January 2025, all financial actors in the European Union must comply with DORA (Digital Operational Resilience Act) requirements. After a two-year transitional period, the new European legislation on ICT security will take full effect. Emerging from the digital finance package adopted in 2020 by the European Commission, its objective is to provide a comprehensive operational-resilience framework for a financial industry that increasingly relies on digital technologies yet cannot afford potential failures (breakdowns, network disruptions, cyber-attacks, etc.).

DORA sets our four main requirements to enhance operations resilience of financial actors:

– Implementation of a comprehensive ICT risk management system
– Management, classification, and reporting of ICT incidents and cyber threats
– Regular operational resilience testing for critical and important IT systems
– Management of risks related to ICT service providers

Note that DORA also encourages – without requiring – affected companies to develop information-sharing mechanisms regarding cyber threats to better ensure their defence.

A Colossal and Endless Task

For the entities involved, complying with DORA is no small feat. Spanning everything from operational issues to maintaining critical functions during disruptions, this monumental task demands constant adaptation to match the rapid pace of technological change. “DORA is a journey, it will be a continuous updating process,” confirms Cécile Gellenoncourt, Head of Information Systems and Support PSF Supervision at the CSSF. Luxembourg’s financial regulator is encouraged by the progress made since 2023 and the regulation’s entry into force. “After a period of waiting for level-two technical texts, we observed an acceleration of concrete actions during 2024. Our latest survey conducted in September 2024 shows significant progress despite very tight deadlines.”

quote

DORA is a journey, it will be a continuous updating process.

Cécile Gellenoncourt, Head of Information Systems and Support PSF Supervision at the CSSF

Gellenoncourt points out that some organisations started their preparations sooner, guided by existing regulatory circulars. In late 2019, the European Banking Authority (EBA) published its final Guidelines on ICT and security risk management, which took effect on 30 June 2020. Initially directed at credit institutions, investment firms, and payment service providers, these guidelines specifically addressed IT risk management and third-party risk management – areas now fully encompassed by DORA.

In Luxembourg, the CSSF transposed these guidelines into circulars 20/750 (IT risks management) and 22/806 (outsourcing) a few months later. “Many DORA requirements were already imposed by these texts on actors targeted by the EBA. They therefore had to be compliant for several years on various points,” continues Gellenoncourt. It’s worth noting that DORA goes beyond outsourcing alone, bringing broader security considerations into scope, including obligations for data providers and other operators connected to the financial sector.

Luxembourg's Support PSF Exception

But in Luxembourg’s financial centre, it was another, older measure that gave financial sector players a head start: the creation of support PSFs, regulated entities based on the 2003 Finance Law. These “Financial Sector Professionals” (PSFs), as defined by the CSSF, do not offer financial products or services themselves; instead, they act as operational-function subcontractors for professionals offering such financial products or services. Their specificity comes from the prudential supervision exercised over them by the Luxembourg regulator.

quote

DORA isn't a revolution for us.

Jean-François Terminaux, President of Finance et Technology

In Luxembourg, the requirement for ICT service provider risk management imposed by DORA is therefore already a reality on the ground. There are more than 60 support PSFs, 80% of which are ICT subcontractors. Jean-François Terminaux, President of Finance et Technology, the federation representing them, puts the weight of the new European regulation into perspective. “DORA isn’t a revolution for us. As regulated entities, we have already adapted to recent CSSF circulars that prepared the ground for DORA and go even further, particularly in terms of governance.”

The idea of regulating finance sector subcontractors came from the desire to protect the professional secrecy to which financial actors are subject, notably in the context of increased delegation of less strategic tasks to subcontractors in the early 2000s. “Even then, the CSSF wanted to have a global view of the entire chain to ensure that a defective element in this chain wouldn’t impact the core business of the upstream financial entity,” Terminaux highlights.

A Step Ahead

This specificity of support PSFs gives Luxembourg’s financial centre an advantage compared to other European financial companies, which must make a significant effort to secure relationships with their subcontractors and IT technology providers. “For 20 years, support PSFs have been subject to the same regulatory framework as their clients, they are familiar with regulatory texts and know what is expected of them,” emphasises Gellenoncourt. Even if they are not all directly subject to the new regulation, they are aware they must adapt to it to meet their clients’ new constraints. The CSSF, which supervises them, will maintain its level of requirements towards them.

quote

For 20 years, support PSFs have been subject to the same regulatory framework as their clients.

Cécile Gellenoncourt, Head of Information Systems and Support PSF Supervision at the CSSF

In Luxembourg, the support PSF status thus provides guarantees that the required work will be executed in a strictly controlled framework and therefore with a reduced level of risk. This model has sparked interest in various European countries, but none has taken the step to replicate it in their own legislation. It remains largely unknown outside the borders and thus hasn’t allowed these regulated actors to export themselves. But DORA could change this: “We now have a regulated framework at the European level in which Luxembourg actors’ extensive experience gives them an advantage and should finally give them the opportunity to develop partnerships across the European space. They have a head start,” observes Terminaux.

quote

Luxembourg actors' extensive experience gives them an advantage and should finally give them the opportunity to develop partnerships across the European space.