top of page

Why preparation to DORA is important right now?

The Digital Operations Resilience Act (DORA) was published on 27 December 2022. It includes a Regulation and a Directive on Information and Communication Technology (ICT) operations for the financial sector that are now already in force and will apply in full from 17 January 2025.

DORA applies to a wide range of financial entities regulated by CSSF in Luxembourg and sets requirements on:

  • ICT risk management

  • ICT related incident management and reporting

  • ICT operational resilience testing

  • ICT third-party service classification, assessment and reporting

Since 17 January 2025 financial institutions that fail to comply may face penalties.

  • Noncompliant financial entities can be fined up to 1% of average daily worldwide turnover in the preceding fiscal year. This fine can be levied every day until the financial entity achieves compliance.

  • Entities found to be in violation of DORA’s requirements may face fines of up to 2% of total annual worldwide turnover or a maximum fine of EUR 1,000,000 in the case of authority of the financial entity.

With less than eight months remaining before the deadline, we recommend starting as soon as possible to ensure your organization has ample time to complete all necessary preparations without rushing in the last month of the year.

Why MAQIT is the right partner?

MAQIT S.A. has 8 years of experience in IT Compliance Advisory. We have successfully completed a large number of engagements in Fin-Tech sector and traditional finances.

MAQIT has developed and uses our own IT regulation compliance framework which includes

  • controls based on COBIT methodology and the IT regulatory requirements

  • dozens of templates, questionnaires and workflows.

The requirements set out in DORA show many similarities to those of CSSF Circulars 22/806 and 20/750 we have been helping our clients with during recent years. When DORA was publish 6 months ago, we adapted our framework to help the clients meet the coming new requirements.

DORA focuses on all digital and data services provided on an ongoing basis and not only limited to ICT services that qualify as outsourcing. So, our ICT Control Framework is now more focusing on ICT Security Risk Management and Incident Management and not only on ICT Outsourcing Management.

What will you get?

With the MAQIT Dora Methodology we help your company meet the two following key objectives:

  1. By the end of 2024: to become compliant to the DORA related regulatory requirements.

  2. In a mid-term perspective: to gain advantages out of your remaining DORA compliant

MAQIT will help your company to:

  • Find gaps in your policies and procedures regarding DORA requirements with our DORA Adoption Framework

  • Get templates for documents that are missing and changes to your policies and procedures that are not compliant to DORA

  • Select and implement technology and tools that permit to implement the controls on the field.

  • Obtain access to highly specialized workforce from MAQIT that permits you to implement the controls on the field.

How do we work?

For DORA Gap Assessment we suggest the following approach:




1. Defining Strategy

Bring together the key stakeholders to clarify the project scope, goals, timeline and dependencies

Analise the regulatory context according the principle of proportionality as well as applicability of DORA requirements

Perform initial risk assessment in each of the DORA pillars

  • Project Governance Deck and Minutes

  • Understanding the context and key risks your organization is facing

  • High-level risk assessment

  • Action Plan

2. Planning DORA Readiness

Perform a detailed DORA compliance gap analysis based on MAQIT Control Framework accelerated by our previous experience

Understand the priorities and adjust the planning

Define deadlines and owners of plan

  • Detailed DORA Gap Report with suggested remediations

  • Detailed Control Plan with owners, deadlines and success criteria to achieve the DORA Readiness

3. Achieving DORA Readiness

Address the DORA compliance gaps identified in earlier stages together with your IT Department

Provide assistance with the drafting of DORA compliant Policies and Procedures

Provide assistance with the selection of a pen testing provider and define the pen-testing scope.

Analise third party IT providers and proceed with the entries into the information register

  • DORA compliant Policies and Procedures framework

  • DORA compliant Risk Assessment

  • DORA compliant third-party provider register


4. DORA Adoption

Knowledge sharing (training of the key DORA stakeholders)

DORA related Control automation (e.g. pen-testing, risk assessment or Information Register).

Amendments (optimizations) to the existing control framework

Measure effectiveness of the implemented Controls and propose amendments if needed

Assistance on Information Register completion

  • Assurance that the controls are implemented

  • Completed DORA Information Register with underlying ICT third-party evidence folder

5. Monitoring and Governance

Regulatory Watch Service

Implement Changes to Policies, Procedures and Controls

Ongoing Oversight of the Outsourcing and Third-Party providers

Improvement of the control mechanisms

  • Assurance that the controls are up-to-date and effective

  • Control Effectiveness Report

Why MAQIT use is based on the most recognized industry standards including but not limited to TOGAF, COBIT, ISO, NIST, ENISA and others. digitalizes a former manual and error-prone process by creating a single point of truth in IT Compliance has been designed with collaboration in mind. It permits a fluent exchange between the Line of Business and IT Compliance Experts.

Your Project Team:

Luc Maquil will manage communications and supervise delivery control.

Flavien Rouzaud will be your Project Manager and senior DORA expert.

Thulani Gina will cover Outsourcing Management.



17 views0 comments


bottom of page