OUTSOURCING: DORA, impacts, IT & security

REGULATORY FRAMEWORK AND OBLIGATIONS

Regulatory overview of outsourcing framework and third-party provider management rules in the post-DORA era

• Current regulatory landscape and anticipated developments
• Analysis of existing outsourcing and third-party provider management requirements across different regulatory statuses of Luxembourg entities
• Specific considerations for cloud outsourcing arrangements under the DORA framework
• Analysis of data protection implications and GDPR compliance requirements in DORA-regulated outsourcing arrangements

Bénédicte d’ALLARD
Director
Regulatory, Risk & Compliance
ARENDT REGULATORY & CONSULTING S.A

Faustine CACHERA 
Counsel in the IP, Communication & Technology practice
ARENDT & MEDERNACH S.A.

Managing outsourcing contracts in practice- A session focused on legal and practical challenges and actionable solutions to ensure compliance with DORA requirements.

• Challenges related to contractual provisions
• Negotiating aspects (e.g with international vendors, intragroup agreements, ...)
• Aligning contracts across stakeholders to guarantee compliance and alignment with DORA obligations

This session will cover legal requirements and provide practical insights, examples and best practices to tackle the legal challenges posed by DORA.

Nicolas HAMBLENNE
Partner Tech,IP & DATA

DORA Supervision: What to expect from upcoming controls?

• How will supervisors (CSSF, CAA, ECB) assess DORA compliance in practice?
• Which areas are most likely to be tested first — governance, ICT risk, third-party management, or incident reporting?
• What level of documentation and evidence will be required?
• How can firms anticipate and prepare for supervisory reviews effectively?

Laureline SENEQUIER
Partner Cyber Governance & Compliance
DELOITTE

Hatice BASKAYA
Director Cyber Governance & Compliance
DELOITTE
 

Switching Off the Black Box: How the EU CRA Reinforces DORA’s Oversight of ICT Providers

• Shifting the power balance from ICT providers to financial entities: what are the challenges?
• Why do ICT functions still operate as a “black box,” whether they belong to the financial group or are external service providers?
• Detecting underestimated or hidden risks across complex, multi-tier ICT environments: how critical can it be?
• How can financial entities retain control over critical ICT processes—without slowing down innovation?
• What level of operational, technical and supply-chain visibility can financial entities gain under the forthcoming CRA obligations?
• Will the CRA finally open the ICT provider “black box” and deliver the transparency that DORA requires?
• Which concrete regulatory levers—CRA essential requirements, DORA oversight, NIS2 governance, contractual enforcement and certification schemes—empower institutions to effectively challenge and influence their ICT providers?

Caroline JULIEN
Consultant senior en sécurité de l'information, résilience et gestion des risques opérationnels TIC
Caroline-juilien -GRC

Performance – How can resilience become a growth driver?

• Can integrated governance become a lasting competitive advantage?
• Are DORA, NIS2, the AI Act and the GDPR opening a new era where compliance is no longer a constraint but a catalyst for trust and business growth?
• How can organizations align these regulatory frameworks around risk management and operational continuity to turn compliance into a competitive edge?
• Under the combined obligations of DORA, NIS2, the AI Act and the GDPR, how can companies effectively manage third-party providers, critical systems and AI technologies?
• How can governance models secure innovation instead of slowing it down?
• What practical strategies can transform compliance into a growth engine and a powerful commercial argument?
• What can we learn from a governance model where compliance, security and innovation work together to build stronger, more agile and more attractive organizations?

Julien WINKIN
Managing Partner
External DPO& CISO
LUXGAP

New EBA Guidelines on third-party risk management: towards the obsolescence of the outsourcing concept?

- The complex coexistence of outsourcing and ICT services

• From complementarity to overlap: outsourcing once seen as distinct but supportive of ICT services
• From exclusivity to absorption: outsourcing now partly confined to non-ICT services

- The rise of a sharper duality: ICT vs. non-ICT service qualification

• The promise of simplification: between the legacy outsourcing framework and DORA’s regulatory authority
• The limits of harmonization: persistent disparities in how financial entities are treated

Alexandre DELPHIS
CEO-Partner
GOVERNYS

Defining Criticality under DORA: From Concept to Implementation

• What criteria should financial entities use to assess the criticality of ICT functions and third-party providers under DORA?
• How can firms make criticality assessments both consistent across departments and defensible before auditors and regulators?
• What governance mechanisms and reporting practices ensure that criticality classifications remain accurate and up to date over time?

Moderator

Jean DIEDERICH 
Partner
FINEGAN

Panelists

Gilles CHEVILLON
Operational Resilience, Cybersecurity & Financial Crime | Digital Learning & Advisory | Regulatory Compliance (DORA & NIS2)
CEO & Founder
MAET

Frank ROESSIG
Head of AI solutions
PROXIMUS

Alexandre DELPHIS
CEO-Partner
GOVERNYS