Meeting the DORA Challenge: Finologee’s Approach to Operational Excellence
The Digital Operational Resilience Act (DORA) represents a milestone in strengthening the European Union’s financial sector against digital disruptions and cyber threats. Effective from 17 January 2025, DORA applies to approximately 22 000 entities, including banks, insurers, investment firms, and other regulated financial institutions. It also extends to ICT third-party service providers, who are typically indirectly within scope through their roles as subcontractors to financial entities, except for a limited number of critical, often pan-European or global providers, which will be directly regulated. The Act builds upon and complements existing EU and national frameworks for IT outsourcing and security, creating a unified and enhanced approach to operational resilience.
Luxembourg, as a leading financial centre, is exceptionally well-prepared to meet DORA’s requirements. With a long-standing focus on ICT security, the country has directly regulated national ICT providers serving the financial sector. Regulators have prioritised establishing a robust and resilient operational environment to safeguard the stability of the nation’s financial industry, aligning seamlessly with the objectives of DORA.
Finologee has spent several months preparing for DORA, addressing its requirements across operational, compliance, ICT security, reporting, and contractual dimensions. The company’s objective is to support financial institutions in navigating this regulatory evolution by offering a ready-to-use framework that integrates seamlessly with its existing agreements and the IT security and compliance frameworks of its clients.
We talked about DORA and its challenges in general, as well as its specific implications for Finologee, with two of its co-founders, Raoul Mulheims and Georges Berscheid, who oversaw the implementation of the regulation at Finologee.
What was Finologee’s initial reaction to DORA?
“When DORA was announced, we saw it as a pivotal moment for the financial sector,” recalls Georges Berscheid, co-founder and CTO. “It was clear from the start that this regulation would reshape how financial institutions and their ICT providers manage operational resilience. For us, this wasn’t just about compliance—it was an opportunity to elevate our existing frameworks and provide our clients with a solution that exceeds expectations.”
From the beginning, Finologee approached DORA with the ambition to go beyond basic requirements. Berscheid explains that the company’s overarching goal was to reduce the compliance burden for clients while maintaining its own high standards. “We wanted to create a setup that integrated seamlessly with their existing systems, ensuring minimal effort on their part while delivering a robust, compliance-ready package.”
How prepared was Finologee to meet the DORA requirements?
Finologee’s stringent operational frameworks provided a strong starting point for DORA compliance. As a regulated Support PFS in Luxembourg, the company already adhered to high standards of ICT security and compliance, aligned with both EU and Luxembourg regulations.
“After our initial assessments, we realised that about 95% of the necessary processes and requirements were already in place,” says Raoul Mulheims, co-founder and CEO. “This was thanks to the solid foundation we had built over the years. Our ISO 27001 certification, renewed in 2023, also played a key role in meeting global IT security standards.”
The assessments revealed that while most requirements were covered, updates were needed for certain areas, particularly subcontractor management. “Ensuring alignment across our entire supply chain required significant effort,” Mulheims notes. “Fortunately, many of our subcontractors were already well-prepared, particularly those focused on the financial sector.”
What are the key challenges associated with subcontracting under DORA?
Subcontracting is one of the most complex aspects of DORA compliance, introducing challenges for both financial entities and their ICT providers.
“One major hurdle is distinguishing between critical ICT third-party providers and those supporting critical or important functions. The European Supervisory Authorities are expected to publish a list of critical providers in the second half of 2025, but identifying which providers support critical or important functions is left to each financial entity. This has led to varying interpretations of the criteria outlined in Article 3(22), making it difficult to ensure consistency across the industry.” – Georges Berscheid
Another challenge lies in subcontractor readiness. Many smaller ICT providers, particularly those serving non-financial industries, are still adapting to DORA’s requirements. “While most of our subcontractors have made the necessary adjustments, there are cases where providers struggled to align or even opted out entirely,” Berscheid adds. “This creates additional challenges for financial entities, as they may need to consider transitioning to alternative providers.”
To address these challenges, financial entities must implement enhanced oversight measures, including increased reporting, detailed audits, and robust contractual frameworks. These requirements impact the operations of both financial institutions and their subcontractors, creating a ripple effect across the supply chain.
How does Finologee support its clients in navigating DORA?
“Our role is to simplify compliance for our clients and provide them with a framework they can rely on.” – Raoul Mulheims
At the heart of this approach is Finologee’s Financial Services Addendum, which aligns contractual terms with DORA’s requirements while ensuring compatibility with existing client frameworks.
“We’ve also leveraged our technology to support clients,” Mulheims explains. The company’s customer care portal provides clients with a centralised platform to access reports, track tickets, and review incident notifications and updates. “In addition, we’ve long maintained a practice of monitoring SLA performance 24/7 and presenting comprehensive reports during regular account meetings. This foundation required only minor adjustments to meet DORA’s specific demands.”
Finologee’s proactive approach extends beyond its own operations. The company works closely with its subcontractors to ensure that their setups align with DORA, fostering a collaborative compliance ecosystem that benefits all stakeholders.
What’s next for Finologee after 17 January 2025?
With DORA coming into effect on 17 January 2025, the immediate focus for Finologee and its clients will shift to upcoming milestones, such as the submission of Registers of Information.
“These registers must be submitted to the European Supervisory Authorities by 30 April 2025,” explains Georges Berscheid. On 15 January 2025, the CSSF announced the specific deadlines for Luxembourg, requiring financial entities to submit their registers via eDesk between 1 April 2025 and 15 April 2025. Additional information related to the eDesk procedure will be published at a later stage.
Beyond these deadlines, the focus will remain on continuous improvement. “Compliance is not a one-time exercise,” Berscheid emphasises. “It’s an ongoing process that requires regular updates, audits and collaboration. At Finologee, we see this as an opportunity to not only strengthen our own frameworks but to help our clients navigate the evolving regulatory landscape with confidence.”
