OUTSOURCING: DORA, impacts, IT & security
how to manage ICT risks in the era of digital resilience?
10 % (excl. VAT) discount on each registration received by 6 February 2026 (code EARLY10)
Navigating the Post-DORA Era: From Compliance to Performance
As financial institutions enter a new regulatory landscape, DORA (Digital Operational Resilience Act) emerges as the cornerstone for operational resilience in ICT systems.
This conference goes beyond compliance: it is designed to show how regulatory obligations can be transformed into levers for governance, innovation, and trust.
Under the guidance of Sylvain Aubry, our speakers – legal experts, consultants, and cybersecurity leaders – will take you through the key challenges of managing third-party providers, supervising ICT functions, and securing critical operational processes.
From regulatory overviews to practical contract management and operational solutions, this conference offers a comprehensive view of DORA’s requirements, complemented by insights on NIS2, the AI Act, and GDPR.
The program combines expert perspectives, real-world examples, practical tools to anticipate supervisory reviews, and strategic discussions on turning operational resilience into a competitive advantage.
Join us to discover how compliance is no longer a constraint but an opportunity – an opportunity to build safer, more agile, and more innovative organizations where performance and security go hand in hand.
- How does DORA reshape outsourcing rules for Luxembourg entities?
- What will supervisors check first in DORA compliance reviews?
- How can firms gain real visibility into ICT providers under CRA + DORA?
- Can DORA, NIS2 and the AI Act be aligned without overburdening governance?
- Are the new EBA Guidelines making outsourcing an outdated concept?
- Compliance officers
- AML officers in banks, insurance companies, investment funds
- Heads of compliance
- Compliance analysts
- Heads of legal
- Lawyer
- Head Of Strategy & Innovation,
- Director of KYC,
- Head of transaction monitoring
- Head of banking
- Security/Privacy Managers
- Data Protection Officers
- Chief Privacy Officers
- MOA consultant
- IT
- Service provider
- Middle et back office
- Head of security
- Head of back office
- Auditors
REGULATORY FRAMEWORK AND OBLIGATIONS
Managing Outsourcing Contracts Under DORA: Securing, Negotiating and Aligning Critical Clauses
- Challenges related to contractual provisions
- Negotiating aspects (e.g with international vendors, intragroup agreements, ...)
- Aligning contracts across stakeholders to guarantee compliance and alignment with DORA obligations
This session will cover legal requirements and provide practical insights, examples and best practices to tackle the legal challenges posed by DORA.
DORA Supervision: What to expect from upcoming controls?
- How will supervisors (CSSF, CAA, ECB) assess DORA compliance in practice?
- Which areas are most likely to be tested first — governance, ICT risk, third-party management, or incident reporting?
- What level of documentation and evidence will be required?
- How can firms anticipate and prepare for supervisory reviews effectively?
Hatice BASKAYA
Director Cyber Governance & Compliance
DELOITTE
Sébastien MULLER-BORLE
Senior Manager
DELOITTE
Switching Off the Black Box: How the EU CRA Reinforces DORA’s Oversight of ICT Providers
- Shifting the power balance from ICT providers to financial entities: what are the challenges?
- Why do ICT functions still operate as a “black box,” whether they belong to the financial group or are external service providers?
- Detecting underestimated or hidden risks across complex, multi-tier ICT environments: how critical can it be?
- How can financial entities retain control over critical ICT processes—without slowing down innovation?
- What level of operational, technical and supply-chain visibility can financial entities gain under the forthcoming CRA obligations?
- Will the CRA finally open the ICT provider “black box” and deliver the transparency that DORA requires?
- Which concrete regulatory levers—CRA essential requirements, DORA oversight, NIS2 governance, contractual enforcement and certification schemes—empower institutions to effectively challenge and influence their ICT providers?
Caroline JULIEN
Consultant senior en sécurité de l'information, résilience et gestion des risques opérationnels TIC
CAROLINE-JULIEN-GRC
Managing ICT third‑party risk & DORA compliance: Focus on AI TPP
- Context - Link between DORA, ICT outsourcing, and AI reliance, with AI providers representing heightened ICT third‑party risk
- DORA compliance in the context of AI TPP
- Scope of DORA and applicability to AI service providers as ICT third parties
- Key DORA pillars impacting AI use (ICT risk management, ICT third‑party risk, Incident reporting, oversight of critical ICT TPP)
- AI TPP considered critical or important
- Specific ICT & model risks of AI TPP
- Technology & operational risks (data security, confidentiality, and model training data, dependency on cloud infrastructure and sub‑contracting…)
- Availability and resilience risks (service continuity and scalability, concentration and lock‑in risk)
- Compliance risks (Data protection, IP ownership, auditability, misuse, bias, and ethical considerations)
- DORA‑aligned risk management
- Pre‑contract risk assessment for AI providers
- Contractual safeguards under DORA
- Ongoing monitoring
- Practical takeaways & governance integration
- Key actions to operationalise compliance
- Roles and responsibilities (Risk, IT, Compliance, Procurement)
- Preparing for supervisory scrutiny and inspections
Bénédicte d’ALLARD
Director
Regulatory, Risk & Compliance
ARENDT REGULATORY & CONSULTING S.A
Faustine CACHERA
Counsel in the IP, Communication & Technology practice
ARENDT & MEDERNACH S.A.
DORA + NIS2 + AI Act: From Compliance to Performance – How Can Resilience Become a Growth Driver?
Compliance is often perceived as a burden. What if it were exactly the opposite?
- In a regulatory landscape where DORA, NIS2, the AI Act and GDPR overlap, how can organizations shift from a constraint-driven approach to a value-driven one?
- It all starts with the foundations: how can robust internal and perimeter security be built, without which no compliance framework is truly credible?
- Yet the real threat is often invisible: how can dark web monitoring help detect past data leaks that traditional audits have never identified?
- Operational continuity cannot be improvised: how can analyzing external attack vectors help anticipate incidents before they occur—an approach that is still little known but highly effective?
- Third parties, critical systems, AI: how can these new risk surfaces be integrated into a coherent and actionable governance framework?
- Case studies and sharing of innovative, proven security measures that transform compliance into a commercial argument and resilience into a real competitive advantage
Julien WINKIN
Managing Partner
External DPO& CISO
LUXGAP
New EBA Guidelines on third-party risk management: towards the obsolescence of the outsourcing concept?
- The complex coexistence of outsourcing and ICT services
- From complementarity to overlap: outsourcing once seen as distinct but supportive of ICT services
- From exclusivity to absorption: outsourcing now partly confined to non-ICT services
- The rise of a sharper duality: ICT vs. non-ICT service qualification
- The promise of simplification: between the legacy outsourcing framework and DORA’s regulatory authority
- The limits of harmonization: persistent disparities in how financial entities are treated
Alexandre DELPHIS
CEO-Partner
GOVERNYS
Defining Criticality under DORA: From Concept to Implementation
- Sovereign risk: the myth of low probability — toward a structural reassessment amid new geopolitical realities
- What criteria should financial entities use to assess the criticality of ICT functions and third-party providers under DORA?
- How can firms make criticality assessments both consistent across departments and defensible before auditors and regulators?
- What governance mechanisms and reporting practices ensure that criticality classifications remain accurate and up to date over time?
Moderator
Sylvain AUBRY
Panelists
Gilles CHEVILLON
Operational Resilience, Cybersecurity & Financial Crime | Digital Learning & Advisory | Regulatory Compliance (DORA & NIS2)
CEO & Founder
MAET
Frank ROESSIG
Head of AI solutions
PROXIMUS
Alexandre DELPHIS
CEO-Partner
GOVERNYS
Julien WINKIN
Managing Partner
External DPO& CISO
LUXGAP
Ces sujets de conférence peuvent aussi vous intéresser
