OUTSOURCING: DORA, impacts, IT & security
Operational Risk Management
DORA (Digital Operational Resilience Act) regulation, comparable to the impact GDPR had on data protection, has become a benchmark for managing operational risks and overseeing outsourcing in the financial and insurance sectors.
More than just a regulatory evolution, it represents the emergence of a new standard, placing digital resilience at the core of corporate strategic priorities.
This unique event, led by renowned experts, offers an in-depth exploration of the challenges and impacts of this regulation, effective since January 2025.
Under the leadership of Sylvain Aubry (Global Head AML TA Operations at CITI), participants will gain practical insights and strategic guidance to navigate these new requirements effectively.
Key topics of the day include:
- CSSF Expectations: Circular 22/806, outsourcing, and digital resilience.
- Managing Outsourcing Contracts: Clause compliance, security, reversibility, and handling global service providers.
- Optimizing long-term relationships with providers: meeting DORA accountability and digital resilience requirements (panel discussion).
- Cybersecurity and cloud challenges: managing sensitive outsourced data.
- Practical insights and sector-specific recommendations: navigating DORA obligations.
- How to Achieve Holistic Outsourcing Management?
- Technological perspectives: the role of innovation in achieving regulatory compliance.
Don’t miss this opportunity to anticipate how DORA will impact your practices and embrace this new standard!
Please note that this conference focuses on Luxembourg's DORA regulation and its specific implications.
Quatier Européen Nord
6 Rue du Fort Niedergruenewald
2226 Luxembourg
Luxembourg
- Master the latest amendments to the DORA regulations
- Incorporate CSSF recommendations into your practice
- Anticipate the practical issues arising from the implementation of the new requirements
- Compliance officers
- AML officers in banks, insurance companies, investment funds
- Heads of compliance
- Compliance analysts
- Heads of legal
- Lawyer
- Head Of Strategy & Innovation,
- Director of KYC,
- Head of transaction monitoring
- Head of banking
- Security/Privacy Managers
- Data Protection Officers
- Chief Privacy Officers
- MOA consultant
- IT
- Service provider
- Middle et back office
- Head of security
- Head of back office
- Auditors
Sylvain AUBRY
Global Head AML TA Operations
CITI
REGULATORY FRAMEWORK AND OBLIGATIONS
Regulatory Overview of Outsourcing: Before and After DORA
- Presentation of Outsourcing Rules: EBA/ESMA guidelines (including CSSF Circular 22/806) in relation to DORA, with a focus on third-party provider management
. - Study of the Intersection with the EDPB Opinion on Subcontracting
. - EBA/ESMA Directives
Vincent WELLENS
IP & TECH partner
NautaDutilh
Practical Insights: Managing Outsourcing Contracts
A session focused on real-world challenges and actionable solutions to ensure compliance with DORA requirements.
- Contractual Clause Compliance
- Field Experience on Contractual Challenges:
- Negotiating with international vendors, particularly large technology companies, often reluctant to adapt their standard contracts to meet DORA requirements.
- Aligning contracts across stakeholders to guarantee full compliance with DORA obligations.
A session packed with practical examples, tools, and best practices to tackle the legal and operational hurdles posed by DORA.
Rainer GROSSHANS
Senior Vice President
Head of Legal Department
Mitsubishi UFJ Investor Services & Banking (Luxembourg) S.A.
Panel & interactive quiz
- Practical Perspectives and Strategic Challenges
- Optimizing Long-Term Relationships with Providers
- Aligning Internal Practices with DORA Requirements
The Role of Technology in Managing DORA Obligations
Moderator
Sylvain AUBRY
Panelists
Frank ROESSIG
Head AI Solutions
Proximus Luxembourg S.A
Jean DIEDERICH
Partner
FINEGAN
Michael HORVATH
Partner
Regulatory & Sustainability Services
PWC
PRACTICAL INSIGHTS
Holistic Management of Outsourcing: Compliance and Efficiency
- How to manage outsourcing partners under the shared and specific requirements of NIS, GDPR, and DORA:
What are the key considerations? - Key focus areas: Securing contracts, risk assessment, and supplier monitoring
- Practical strategies: How can organizations ensure compliance while minimizing legal and operational risks?
- Case study and practical tools: A real-world example showcasing best practices, followed by a final checklist to effectively integrate these principles into your governance framework
Julien WINKIN
Managing Partner
External DPO& CISO
LUXGAP
Key considerations for continuous monitoring of your Service Providers
- Regulatory updates (focus on the insurance sectors)
- Contractual aspects (including DORA impacts)
- What contractual mechanisms can be considered to monitor effectively service providers?
- Main challenges and advice on the negotiation of KPIs
- Recommendations in case of underperformance against the agreed KPIs
Operational aspects (including DORA impacts)
- Governance - roles and responsibilities specifically in a group set-up
- Guidance on continuous monitoring practices for third-party vendors (Group vs. third party vendors).
- What are the specific challenges for non-EU IT providers regarding data protection?
Nicolas HAMBLENNE
Counsel
Avocat à la Cour au barreau de Luxembourg
PwC Legal
Antonin JAKUBSE
Senior Manager Advisor Insurance
Financial Services
PWC Luxembourg
Xiaoyi FANG
Senior Manager Regulatory
Financial Services
PWC Luxembourg
State of Play and Outlook on ICT Outsourcing under DORA and CSSF Circulars
- DORA: Where Do We Stand Since the Application Date of January 17, 2025?
- Analysis of Key Obligations for Entities Subject to DORA, including the Compliance of ICT Registers and Reporting to the CSSF
.
- Analysis of Key Obligations for Entities Subject to DORA, including the Compliance of ICT Registers and Reporting to the CSSF
- CSSF Circulars on Outsourcing: Updates and Practical Implications
- Focus on Circular 22/806 and its Harmonization with DORA
- Where Do We Stand on Circular Updates, and What Will Be the Impact on Financial Entities?
- Deadlines and Coordination Between CSSF and ESAs: Preparing for the 2025 Deadlines
- Discussion on CSSF Obligations and Supervised Entities, including the Transfer of Registers to ESAs by April 30, 2025, and Best Practices for Preparation
.
Karim BOUAISSI
IT Risk & Assurance
Partner
EY Luxembourg Consulting