Ensure your compliance with DORA – The Digital Operational Resilience Act

Dora: what is it?
The Digital Operational Resilience Act (DORA) introduces a harmonized framework to enhance the cyber resilience of financial institutions across the EU. It establishes stringent requirements to mitigate ICT risks and ensure operational continuity. From 17 January 2025, financial institutions must comply with strict obligations covering ICT risk management, incident reporting, resilience testing, and third-party risk oversight.

Is your firm prepared?
DORA establishes mandatory requirements for banks, investment firms, asset managers, and other financial entities to enhance their digital resilience and mitigate systemic risks. Achieving compliance demands a structured approach, including risk governance, continuous monitoring and a robust incident response strategy.

What do you need to perform?
DORA requires the implementation of a tailored compliance framework:

• DORA readiness assessment - identify compliance gaps and define a compliance roadmap

• ICT Risk Management implementation - develop robust policies and frameworks to mitigate cyber threats

• Incident Response & Reporting support - Ensure full compliance with DORA’s strict incident reporting rules

• Third-Party Risk Management - Continuously assess and monitor ICT service providers to mitigate outsourcing risks

• Resilience Testing & Training - Conduct scenario-based resilience testing and train staff to handle cyber threats effectively

How can Osmia Consulting help you ?

At Osmia Consulting, we specialise in regulatory compliance and operational resilience. Our experts provide strategic guidance to help you navigate DORA complexities and implement a tailored, effective compliance framework.

Avoid the Risk of Non-Compliance!

Non-compliance with DORA can lead to hefty financial penalties and reputational damage.
Osmia Consulting helps ensure your firm is resilient, secure and fully compliant.

Contact us today to discuss how we can assist with your DORA compliance journey.

Act Now : The DORA compliance log must be submitted to the CSSF by April 2025 - make sure your firm is prepared!

Is your Firm Prepared ?

Regulatory scrutiny in Luxembourg continues to intensify, and financial institutions must stay proactive to meet the requirements of CSSF Circular 18/698. Failing to do so can result in significant consequences, including sanctions, reputational damage, and operational disruptions. But how confident are you that your firm is ready ?

Here are some of the most common pitfalls that financial institutions encounter

• Incomplete or outdated compliance frameworks - Are your policies regularly reviewed and aligned with the latest regulatory expectations ?

• Insufficient or disorganized documentation - Can you provide clear, consistent, and readily accessible records to regulators when requested ?

• Weak conflict of interest management - Do you have robust controls in place to identify, assess, and mitigate risks effectively ?

• Inadequate compliance monitoring - Are you tracking obligations systematically, or are you still relying on inefficient manual processes ?

Ensuring compliance isn't just about ticking boxes - it's about safeguarding your firm's reputation and operational resilience.

How can Osmia Consulting help you ?

• Compliance Framework Assessment: Identify gaps and align processes with CSSF Circular 18/698.

• Internal Audits & Reviews: Stay audit-ready with independent compliance checks.

• Tailored Training Programs: Equip your teams with the latest compliance best practices.

Stay ahead of regulatory challenges

Partner with Osmia Consulting to build a Resilient Compliance Framework that protects your company. Contact us today to learn more about how we can support your compliance needs and help you stay confidently ahead of regulatory requirements.

Key Role of « RC » in the Luxembourg Compliance Framework

What is an RC ?
In the Luxembourg compliance framework, "RC" stands for "Responsable du Contrôle” de la conformité en matière de lutte contre le blanchiment d’argent which can be translated as "Person Responsible for Control" of compliance as regard to anti-money laundering.

The RC plays a key role in the Luxembourg compliance framework and is often required in regulated entities such as financial institutions, investment funds, and service providers under the supervision of the Commission de Surveillance du Secteur Financier (CSSF) or other regulatory bodies.

The RC’s main responsibilities are to oversee the entity's compliance with Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) laws and regulations in the financial sector, and to ensure that robust controls are in place.

The RC also has specific reporting duties to regulators, the board of directors, and management board, serving as the primary contact for regulators, especially for AML/CFT-related matters.

When and why might one require an RC
Entities under the supervision of the CSSF or other regulatory authorities, such as the CAA (Commissariat aux Assurances) or the AED (Administration de l’Enregistrement, des Domaines et de la TVA), must appoint an RC.

These entities typically include :
• Investment Funds (UCITS and AIFs including RAIFs)
• Management Companies (ManCos) and Alternative Investment Fund Managers (AIFM)
• Banks and Credit Institutions
• Electronic Money Institutions (EMIs) and Payment Institutions (PIs)
• Professionals of the Financial Sector (PSFs):
• Insurance and Reinsurance Undertakings
• And some Special Purpose Vehicles (SPVs) such as Securitization vehicles in specific cases.

Unregulated structures, such as holding companies (SOPARFIs), do not generally require an RC unless their activities fall under AML/CFT obligations.

What are the primary distinctions and relationship between the role of RC and other risk/compliance positions ?

RR (Responsable du Respect des obligations professionnelles en matière de lutte contre le blanchiment - person Responsible for Respect/compliance) 
The RC is responsible for implementing a robust compliance framework as regards to Anti-Money Laundering and Counter-Terrorism Financing (AML-CTF), while the RR ensures that the entity complies with laws, regulations, and professional standards on the same topics. In other words, the RR's role is to implement preventive measures and to ensure employee compliance with regulatory obligations, while the RC focuses on oversight and control.

The RC and RR roles are distinct but complementary. They work together to ensure regulatory compliance through a holistic structure.

CCO (Chief Compliance Officer)
The Compliance Officer is a broader, non-specific role responsible for an organization's overall compliance framework across multiple regulatory domains. In smaller organizations, the RC and the Compliance Officer roles might be held by the same person. In larger organizations, the RC is typically a distinct role within the compliance function.

The CCO conducts monitoring activities, ensures that employees follow compliance policies, and prepares reports. In doing so, the CCO supports both the RC and the RR by managing day-to-day compliance tasks.

Internal Audit
Often referred to as the “third line of defence”, internal audit provides an independent and critical evaluation of the compliance framework and risk management processes in place, distinct from the RC and RR and other internal control functions.

Board of directors/managers
The board bears the ultimate responsibility for ensuring that the organization complies with all regulatory and legal requirements.

Who can be RC ?
Contrary to the RR, which can be a committee (such as the board itself), the RC must be an individual. An RC must possess the following qualities:

✓ Relevant experience and understanding, particularly in the areas of compliance and financial sector.
✓ Independence and authority to execute their duties effectively.
✓ Sufficient time and resources to fulfil their responsibilities.

The appointment of an RC in the financial sector typically requires the CSSF’s approval.

Given that only entities with complex activities require a full-time RC, most RC roles are usually part-time. Outsourcing to external experts is therefore a viable option, as it provides access to the necessary expertise and experience without the need of permanent recruitment.

How can Osmia Consulting help you ?

With extensive experience in Luxembourg’s regulatory landscape, Osmia Consulting offers a diverse pool of candidates who can act as your company’s RCs, ensuring efficient and expert management of your compliance requirements

Ensuring adherence to anti-money laundering and counter-terrorism financing regulations, commonly referred to as AML/FT, is a critical aspect of your day-to-day responsibilities.

Sanctions for regulatory or legal infractions include warnings, public statements, suspension or revocation of your authorization, as well as fines.

Who is impacted ?
✓ Financial professionals subject to CSSF supervision, such as Management Companies, AIFM, credit institutions, SIF, UCITS, SICAR, payments institutions, central administrators ...
✓ Financial professionals subject to AED supervision such as RAIF
✓ Insurance undertakings licensed or authorized to exercise their activities in Luxembourg as well as the professionals of the insurance sector
✓ Family offices
✓ Other professionals (mainly accountants, real estate agents, notaries, lawyers)

What are the main obligations ?
✓ Perform an AML risk assessment
✓ Perform a country risk assessment
✓ Carry out customer due diligences (on investors and counterparties)
✓ Implement policies and procedures
✓ Report suspicious activities
✓ Receive regular training

How can Osmia Consulting assist you ?

• Assess your AML-KYC risk by conducting a gap analysis

• Train your teams on AML-KYC topics

• Stay informed about any new regulatory and legal developments

• Keep your policies and procedures up-to-date

• Organize your due diligences in an efficient way

• RC – RR – find your MLRO or responsible officer

Luxembourg National Identification Number

As of 12 November 2024, all natural persons who are already or will be registered in the Luxembourg Trade and Companies Register (RCS) must provide their Luxembourg National Identification number (LNIN). If they do not have a LNIN, they must obtain one.

The LNIN, also known as the 'matricule number' or the 'CNS number', is a unique identifier for natural persons. It is automatically assigned to Luxembourg residents and Luxembourg workers.

Who is impacted by this ?
All natural persons registered with the RCS, in any capacity
Shareholders, Partners, Directors, Managers, representatives and auditors.

What are the obligations of natural persons who do not have a LNIN yet ?
Fill in a specific filing form on the RCS portal by communicating:
First names; Last name; Date, place and country of birth; Gender; Nationality; Private home address (number, street, postal code, locality, country); Supporting documents such as ID documents and proof of private address, everything translated into English or one of the national languages.

What are the obligations of natural persons in possession of a LNIN ?
Fill in a specific filing form on the RCS portal for this purpose, allowing the communication of the LNIN.

What is the impact of non-compliance ?
Inability to finalize filing procedures with the RCS, no matter if it relates to a natural persons or not (e.g. filing of annual accounts).

How Osmia Consulting can help you ?

• Conduct a gap analysis to evaluate your impact

• Fill in the required forms

• Keep your LNIN request up-to-date