OUTSOURCING: DORA, impacts, IT & security

• Compliance officers
• AML officers in banks, insurance companies, investment funds
• Heads of compliance
• Compliance analysts
• Heads of legal
• Lawyer
• Head Of Strategy & Innovation,
• Director of KYC,
• Head of transaction monitoring
• Head of banking
• Security/Privacy Managers
• Data Protection Officers
• Chief Privacy Officers
• MOA consultant
• IT
• Service provider
• Middle et back office
• Head of security
• Head of back office
• Auditors

• Master the latest amendments to the DORA regulations
• Incorporate CSSF recommendations into your practice
• Anticipate the practical issues arising from the implementation of the new requirements

DORA (Digital Operational Resilience Act) regulation, comparable to the impact GDPR had on data protection, has become a benchmark for managing operational risks and overseeing outsourcing in the financial and insurance sectors.
More than just a regulatory evolution, it represents the emergence of a new standard, placing digital resilience at the core of corporate strategic priorities.

This unique event, led by renowned experts, offers an in-depth exploration of the challenges and impacts of this regulation, effective since January 2025.

Under the leadership of Sylvain Aubry (Global Head AML TA Operations at CITI), participants will gain practical insights and strategic guidance to navigate these new requirements effectively.

Key topics of the day include:

• CSSF Expectations: Circular 22/806, outsourcing, and digital resilience.
• Managing Outsourcing Contracts: Clause compliance, security, reversibility, and handling global service providers.
• Optimizing long-term relationships with providers: meeting DORA accountability and digital resilience requirements (panel discussion).
• Cybersecurity and cloud challenges: managing sensitive outsourced data.
• Practical insights and sector-specific recommendations: navigating DORA obligations.
• How to Achieve Holistic Outsourcing Management?
• Technological perspectives: the role of innovation in achieving regulatory compliance.

Don’t miss this opportunity to anticipate how DORA will impact your practices and embrace this new standard!

Please note that this conference focuses on Luxembourg's DORA regulation and its specific implications.

Sylvain AUBRY - Global Head AML TA Operations - CITI

REGULATORY FRAMEWORK AND OBLIGATIONS

Regulatory Overview of Outsourcing: Before and After DORA

• Presentation of Outsourcing Rules: EBA/ESMA guidelines (including CSSF Circular 22/806) in relation to DORA, with a focus on third-party provider management.
• Study of the Intersection with the EDPB Opinion on Subcontracting.
• EBA/ESMA Directives

Vincent WELLENS - IP & TECH partner - NautaDutilh

Practical Insights: Managing Outsourcing Contracts

• A session focused on real-world challenges and actionable solutions to ensure compliance with DORA requirements.
• Contractual Clause Compliance
• Field Experience on Contractual Challenges:
• Negotiating with international vendors, particularly large technology companies, often reluctant to adapt their standard contracts to meet DORA requirements.
• Aligning contracts across stakeholders to guarantee full compliance with DORA obligations.
• A session packed with practical examples, tools, and best practices to tackle the legal and operational hurdles posed by DORA.

Rainer GROSSHANS - Senior Vice President - Head of Legal Department - Mitsubishi UFJ Investor Services & Banking (Luxembourg) S.A.

Panel & interactive quiz

• Practical Perspectives and Strategic Challenges
• Optimizing Long-Term Relationships with Providers
• Aligning Internal Practices with DORA Requirements
• The Role of Technology in Managing DORA Obligations

Moderator: Sylvain AUBRY

Panelists

• Frank ROESSIG - Head AI Solutions - Proximus Luxembourg S.A
• Jean DIEDERICH - Partner - FINEGAN
• Michael HORVATH - Partner - Regulatory & Sustainability Services - PWC

PRACTICAL INSIGHTS

Holistic Management of Outsourcing: Compliance and Efficiency

• How to manage outsourcing partners under the shared and specific requirements of NIS, GDPR, and DORA:
• What are the key considerations?
• Key focus areas: Securing contracts, risk assessment, and supplier monitoring
• Practical strategies: How can organizations ensure compliance while minimizing legal and operational risks?
• Case study and practical tools: A real-world example showcasing best practices, followed by a final checklist to effectively integrate these principles into your governance framework

Julien WINKIN - Managing Partner - External DPO& CISO - LUXGAP

Key considerations for continuous monitoring of your Service Providers

• Regulatory updates (focus on the insurance sectors)
• Contractual aspects (including DORA impacts)
• What contractual mechanisms can be considered to monitor effectively service providers?
• Main challenges and advice on the negotiation of KPIs
• Recommendations in case of underperformance against the agreed KPIs
• Operational aspects (including DORA impacts)
• Governance - roles and responsibilities specifically in a group set-up
• Guidance on continuous monitoring practices for third-party vendors (Group vs. third party vendors).
• What are the specific challenges for non-EU IT providers regarding data protection?

Nicolas HAMBLENNE - Counsel - Avocat à la Cour au barreau de Luxembourg - PwC Legal

Antonin JAKUBSE - Senior Manager Advisor Insurance - Financial Services - PWC Luxembourg

Xiaoyi FANG - Senior Manager Regulatory - Financial Services - PWC Luxembourg

State of Play and Outlook on ICT Outsourcing under DORA and CSSF Circulars

• DORA: Where Do We Stand Since the Application Date of January 17, 2025?
• Analysis of Key Obligations for Entities Subject to DORA, including the Compliance of ICT Registers and Reporting to the CSSF.
• CSSF Circulars on Outsourcing: Updates and Practical Implications
• Focus on Circular 22/806 and its Harmonization with DORA
• Where Do We Stand on Circular Updates, and What Will Be the Impact on Financial Entities?
• Deadlines and Coordination Between CSSF and ESAs: Preparing for the 2025 Deadlines
• Discussion on CSSF Obligations and Supervised Entities, including the Transfer of Registers to ESAs by April 30, 2025, and Best Practices for Preparation.

Karim BOUAISSI - IT Risk & Assurance - Partner - EY Luxembourg Consulting