IT Consulting

REQUEST A PROPOSAL

IT Consulting

In today's digital landscape, businesses face unprecedented challenges when it comes to safeguarding their sensitive information. The threat landscape is evolving rapidly, and regulatory requirements are becoming increasingly stringent. 

At BDO, we understand the critical importance of protecting your organisation's digital assets and ensuring compliance with industry regulations. Our team of highly skilled professionals specialises in providing comprehensive ICT Security & Compliance solutions tailored to meet the unique needs of your business. We provide you with expertise and guidance to support you in your compliance journey by helping you navigate the regulatory challenge through:

  1. Luxembourg Regulations
  2. EU Regulations

1. Luxembourg Regulations

IT Governance Circular CSSF 20/750 (as amended by Circular CSSF 22/828) Requirements regarding information and communication technology (ICT) and security risk management:

  • Entities in scope: 
    Credit Institutions, DRSP, Investment firms, Payment institutions/ Electronic money institutions /AISP, Specialised PFS, Support PFS.
  • The main purpose of this circular is to implement the requirements regarding information and communication technology (ICT) and security risk management outlined in 6 main domains:

  • ICT and security risk assessment: A gap assessment against the regulatory requirements outlined in the Circular 20/750
  • Optimised IT Governance framework: Based on identified gaps from the assessment we help you address the remediation and support you building a robust IT risk management framework. 
  • Awareness Training: We help you navigate the IT regulatory challenges by providing a tailored training across all levels.
  • Constant Communication and Support: Offering ongoing communication, help, and support to ensure that financial institutions have a reliable and engaged consulting partner to assist with IT compliance needs.

IT Outsourcing

Circular CSSF 22/806 on outsourcing arrangements

Entities in scope:

AlFMs, CSDs, credit institutions, DRSP, E-money institution, SICAR, investment firms, Management Companies – Chapter 15, Payment institution, Pension Funds, Securitisation undertakings, SIF, Specialised PFS, Support PFS, UCI, UCITS



The main purpose of this circular is to:

  • Implement the requirements of the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), that aims at providing a transparent, homogeneous and harmonised national framework for outsourcing arrangements. It also gathers the requirements for outsourcing arrangements relating to ICT whether IT traditional outsourcing or IT outsourcing based on cloud.

Circular CAA 21/15 on Cloud Outsourcing

Entities in scope:

Insurance & Reinsurance Companies



In the context of circular letter 20/13, in which the Commissariat aux Assurances informed the insurance and reinsurance companies subject to its supervision that it would fully apply the "Guidance on outsourcing to cloud service providers", circular 21/15 is intended to take up a set of guidelines and to integrate certain additional CAA requirements.

Circular CAA 22/16 on Traditional Outsourcing

Entities in scope:

Insurance & Reinsurance Companies



Luxembourg insurance and reinsurance companies are required to inform the CAA of their intention to outsource important operational activities or functions or compliance, internal audit or actuarial functions (deemed critical), as well as of any subsequent significant developments concerning these functions or activities. The purpose of this circular is to specify the CAA's requirements regarding the outsourcing of important or critical operational activities or functions, and their notification to the CAA.

  • Risk Management and Due Diligence: We provide you with expertise in assessing and managing the risks associated with outsourcing arrangements, including due diligence on third-party service providers.
  • Policy and Procedure Development: We support you in creating and refining policies and procedures related to outsourcing, ensuring they adhere to the circular's requirements.
  • Compliance Assessment and Gap Analysis: We conduct a comprehensive review of existing outsourcing arrangements to ensure alignment with each specific requirement.
  • Outsourcing Development Strategy: We assist you in formulating a strategic approach to outsourcing that complies with the circular's supervisory expectations and harmonised framework including but not limited to:
    • Materiality assessment / impact assessment
    • Outsourcing risk assessment framework
    • IT oversight framework

2. EU Regulations

DORA: Digital Operation Resilience Act

  • In 2020, the European Commission introduced the Digital Operational Resilience Act (DORA) to unify and enhance cybersecurity for financial entities and ICT service providers in the EU, supporting the region's digital financial strategy and empowering European Supervisory Authorities (ESAs) for effective oversight
  • On December 27, 2022, DORA was officially published, establishing consistent rules for the digital resilience of regulated financial entities and creating a framework for critical ICT third-party providers (CCTPs).
  • The finalised DORA came into effect on January 16, 2023, initiating a 24-month implementation period for entities to comply with its requirements. In 2024, alongside DORA, entities must track additional Regulatory Technical Standards (RTS) released by ESAs. Entities are to comply with the regulation by on January 17, 2025. The Regulation aims to unify guidelines on digital resilience in the financial sector across EU Member States. It seeks to bolster security measures, diminishing threats and risks associated with ICT use, while reinforcing operational resilience against ICT-related incidents.

    These goals are achieved through requirements outlined in five primary pillars:

    ICT risk management, ICT related incident management, including payment-related incidents, digital operational resilience testing, management of ICT third-party risks and oversight of critical ICT third-party service providers, and information and intelligence sharing.

NIS2: Network & Information Systems Directive 2022/0383

NIS 2, or the Network and Information Security Directive 2, is a European Union legislative framework aimed at enhancing cybersecurity across the EU. It builds upon the original NIS Directive (2016) and seeks to address emerging cyber threats and improve the resilience of critical infrastructure. NIS 2 expands the scope to include more sectors, such as healthcare, digital infrastructure, and public administration, while imposing stricter security and reporting requirements. It aims to foster greater cooperation between EU member states and establish more consistent and effective cybersecurity measures across the union. The directive mandates that companies implement robust security measures, report incidents promptly, and undergo regular assessments to ensure compliance.

Its main goals are:

  • 1. Setting the bar for cyber security measures in critical industries for modern-day society through a significant expansion of the organizations in scope compared to NIS1
  • 2. Ensuring that the cyber security posture across the different EU member states and national governments significantly improves
  • 3. Strengthen the EU cooperation between the different cyber authorities

PSD2: Payment Services Directive

PSD2 is a game-changer in the financial sector, aimed at promoting competition, innovation, and enhancing consumer protection. It requires banks and other financial institutions to open up their payment infrastructure to third-party providers (TPPs) through Application Programming Interfaces (APIs). This means that customers can now securely share their financial data with authorised TPPs to access a range of innovative services, such as payment initiation, account aggregation, and personalised financial advice.

PSD3/PSR: Payment Services Directive/Payment Services Regulation

The Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR) are upcoming legislative frameworks by the European Union aimed at enhancing the payment services landscape.

The primary objectives include:

  • 1. Enhanced Consumer Protection: Strengthening safeguards to protect consumers from fraud and abuse in payment transactions
  • 2. Increased Competition: Encouraging competition by fostering innovation and removing barriers to entry for new market players
  • 3. Improved Security: Enhancing the security of payment transactions through stricter authentication and fraud prevention measures
  • 4. Transparency and Efficiency: Ensuring greater transparency in payment services and reducing costs for consumers and businesses
  • 5. Harmonisation: Aligning regulatory standards across EU member states to create a more cohesive and efficient payments market
  • 6. Innovation Support: Facilitating the development and adoption of new payment technologies and services

DORA requires the implementation and operation of 5 pillars for financial institutions in order to be in compliance:

Pillar 1 ICT Risk Management

  • Financial entities must implement a comprehensive ICT risk management framework covering governance, policies, roles and responsibilities, and the full risk lifecycle (identify, protect, detect, respond, recover) to proactively manage digital risks. 

Pillar 2 ICT‑related Incident Management, Classification & Reporting

  • Firms must establish processes to detect, classify by severity, and report major ICT‑related incidents to their competent authority within strict deadlines, using harmonised templates and channels to ensure transparency. 

Pillar 3 Digital Operational Resilience Testing

  • Organisations are required to perform regular resilience tests—such as vulnerability assessments, scenario‑based tabletop exercises and threat‑led penetration testing—and to remediate any gaps identified to validate their ability to withstand cyber‑attacks. 

Pillar 4 Management of ICT Third‑Party Risk

  • Entities must conduct due diligence, embed mandatory contractual clauses, and continuously monitor critical ICT service providers (including cloud and outsourcing partners) to ensure they meet the same security and resilience standards. 

Pillar 5 Information‑Sharing Arrangements

  • DORA encourages voluntary, secure sharing of cyber threat intelligence and best practices among financial firms and authorities to foster collective situational awareness and strengthen the EU financial ecosystem’s overall resilience.

NIS2 is a self electing directive, however, has requirements that are similar to that of DORA. In Luxembourg, this directive is overseen by the Institute Luxembourgeois de Régulation (ILR). The requirements are below:

Self-Regulation

  • Firms must declare its designation as per self assessment to national competent authorities.

Cybersecurity Risk Management

Entities will want to implement a cohesive cyber security risk management framework including:

  • Risk analysis and information system security
  • Assess the effectiveness of cybersecurity risk-management measures. 
  • Business continuity, disaster recovery and crisis management
  • Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  • Human resources security, access control policies and asset management

Incident Notification

  • Companies should report security incidents promptly and as such, should have processes for this purpose.

Security in Supply Chain

  • In-scope organisations must consider the vulnerabilities to each direct supplier and service provider.

Training and Awareness

  • Training programs should be implemented to ensure proper cyber hygiene practices.

The Network and Information Security (NIS) Directive and the Digital Operational Resilience Act (DORA) are regulatory measures aimed at enhancing the digital resilience of the European Union (EU) and mitigating the impact of cyber incidents. To ensure a harmonious implementation, the European Commission has issued Guidelines clarifying the exemption of entities to which sector-specific legal acts apply from the NIS2 Directive. These Guidelines explicitly state that DORA has priority over NIS2 provisions on ICT risk management, cyber incident reporting, digital operational resilience testing, information-sharing, ICT third-party risk, supervision, and enforcement.

DORA incorporates a provision known as "lex specialis," granting it priority over the NIS2 Directive, which is considered a general law. This provision ensures that if there are any conflicts or overlaps between the two directives, DORA takes precedence. The "lex specialis" provision in DORA helps to avoid confusion and ambiguity in the regulatory landscape.

This clarification provides additional clarity on the exemption of the banking sector from the NIS2 Directive. Financial entities covered by DORA should adhere to its provisions instead of those outlined in the NIS2 Directive.

DORA: Digital Operation Resilience Act

  • DORA introduces clear and well-defined guidelines, offering the above regulated entities an opportunity to showcase their digital maturity. While some sectors, like banking, will primarily focus on updating existing measures, others, such as Investment Management, face more intensive implementation efforts. 
    • BDO will support you through a readiness assessment that is crucial, guiding entities in tailoring action plans for compliance.
    • While a readiness assessment is crucial, we support you by implementing a robust framework that addresses any potentially identified gaps

PSD2: Payment Services Directive

  • At BDO, we specialize in providing comprehensive PSD2 compliance solutions tailored to meet the unique needs of our clients. Our team of experienced consultants possesses in-depth knowledge of the regulatory landscape and the technical expertise required to ensure a smooth implementation process. Here's how we can assist you:
    • Regulatory Guidance: We stay up-to-date with the latest PSD2 requirements and can provide you with clear and practical guidance on how to align your business operations with the regulation. Our experts will help you understand the specific obligations, such as strong customer authentication (SCA), secure communication channels, and access to account information, ensuring you remain compliant at all times.
    • Security and Risk Management: PSD2 introduces significant security and risk management considerations. We can conduct comprehensive risk assessments, identify vulnerabilities, and develop tailored security strategies to mitigate potential threats. Our goal is to help you build a secure environment that safeguards your customers' data and protects your business from unauthorized access or fraudulent activities.
    • Ongoing Compliance Support: PSD2 compliance is not a one-time effort; it requires continuous monitoring and adaptation to evolving regulatory demands. Our team provides ongoing compliance support, keeping you informed about any changes in the regulatory landscape and assisting you in maintaining a compliant and competitive position within the market.

Gap assessment & Roadmap

  • Our dedicated team of auditors and advisors provide the independent assurance your management needs on DORA compliance from the third line of defense. 
  • As a stand-alone advisory audit or as part of the recurring internal audit plan, ask your BDO contact about how we include DORA in our audits!

Implementation Support

  • Our BDO advisors have hands-on experience with DORA templates including the register of information (ROI), ICT risk management framework, ICT risk register, third party risk management policy and procedures, operational resilience testing programs, and more.

External Verification & Auditing

  • Our dedicated team of auditors and advisors provide the independent assurance your management needs on DORA compliance from the third line of defense.

Threat-Led Penetration Testing (TLPT) in Compliance with the DORA

Download our flyer here

Key Contact

.

Benoit Wtterwulghe

Partner - Consulting
View bio

Related Insights