The incidence of cyber-attacks like phishing and ransomware being steadily on the rise, governments and companies are busily formulating their response. The European Commission has developed its Dora, or digital operational resilience act, in all a 300-page legislative tome setting out what companies it covers must put in place by January 2025. One prominent Luxembourg politician, however, says he’s concerned that banks, especially, aren’t taking it seriously.
“I have not got any information for any banks,” said Laurent Mosar (photo), a CSV parliamentarian who stands a good chance of becoming the rapporteur on this bill. He said that the finance committee will hold its first meeting on this law on 15 March.
He posted his thoughts about Dora on LinkedIn recently. He gets questions from followers every day about many other laws and rules, he explained. “But like I tell you now after my post, I didn’t really get many questions.» He continued, pointing out that “I don’t have the feeling that many concerned institutions seem to be worrying about it.”
Two-thirds there?
At a recent event discussing Dora organised by local IT consulting firm Luxat, it was reported that bank representatives stated that they were 60% of the way to compliance, due at year-end unless there’s a legislative change.
“I’m not really sure if they are all aware about what they have to implement, or if they are perhaps not really understanding what they have to do,” Mosar said, but conceded that he knows that banks and other financial institutions are working hard on implementing it.
Laurence Senequier, a Deloitte Luxembourg partner, said she saw the financial sector “currently waking up on this regulation.” She added, “the challenge is that it is quite an ambitious regulation and there’s less than a year to comply with everything which is required.”
Heartening conversation
Considering the regulation plus the “level two” text, “it’s almost 300 pages of things which you have to put in place.” She said she was heartened to see “more and more people” talking about it.
Senequier referred to Dora in the context of the wave of regulation facing the financial industry. “CSDR, EMIR, MiFID version 1,2,3,4,5, Open Finance, AML,” she listed off. “It’s a lot.” When it came to Dora, she said, “I think that until you get into opening the book, you have that sense of a bit of overconfidence, oh, no, but it’s the things we’re already doing, but it’s just another level.”
She likened this to “you’ve been doing gym at your own place and all of a sudden you start CrossFit Games.”
Many unanswered questions
Mosar explained that he has spent time poring over the documents relating to the rules but says there are still “many, many questions” to be answered.
The Dora legislation has been warmly received by most practitioners who are increasingly concerned at the rise in cyberattacks and the lack of a solid European and national framework to respond to it.
According to European Commission documents, there has been a tripling in cyber-attacks in recent years.
Need to clarify
When the process of formulating Luxembourg’s new cyber-crime law gets underway, Mosar explained, there will be legal opinions on the application of the law.
Mosar also flagged the “very huge investment” that is required to implement these measures. He said he wants to know whether the financial institutions will be able to get financial incentives to help with that.
“I think this is very important because not every article in the European act is very clear,” he said. “It’s important that that bill is clarifying all the points.”
Sanctions need clarity
The unclear points, Mosar said, had most to do with responsibility and especially with sanctions. Under national law, for a sanction to apply against someone, “you must have very, very clear rules.”
“For me, I have not really found in the European text very clear rules concerning the sanctions.”
The Luxembourg Conseil d’état (state council) will also analyse the law. “We have to get probably much more clear rules concerning sanctions.” The state council is a body appointed by Luxembourg’s head of state to advise the parliament and the government.
Some only just starting
At the recent event discussing Dora, Senequier said, they surveyed the audience and found that while 80% of the attendees were analysing their position, only 6% had started working on it, and 15% hadn’t even started.
The tough slog to implement such a package is “creating work for work for consultants,” acknowledged Senequier, who said she personally is busy with Dora projects and consulting firms including and beyond the Big 4 are talking a lot about it.
Senequier agreed that there is a perception in Luxembourg that we’re too small to be targeted, which is “not really true.” Cyber attackers choose their targets based on how easily they can get in. “Luxembourg having one of the highest GDP per inhabitant – I think it actually puts us a bit on that radar.”