Agefi Luxembourg - octobre 2025

Octobre 2025 47 AGEFI Luxembourg Informatique financière By Julien RENKIN, CCO, SOPIAD & Maxime HENNAU, Head of Spike Reply Luxembourg T heDigital Operational Resi- lienceAct (DORA) introduces a landmark regulatory framework that reshapes howfinancial entities across the EuropeanUnionmanage ICT risks, operational continuity, and cybersecurity. DORAsets a newbenchmark for digital re- silience in an increasingly vola- tile threat landscape. This regulation comes at a time when cyberattacks aregrowing inscale andso- phistication. The ransomware incident targeting a European payments infras- tructure in late 2024, which disrupted cross-border transactions andexposedcritical data flows, exemplifies the systemic vulnerabilities that DORA seeks to address. While DORA applies directly tofinancial institutions, its ripple effects are already being felt by ICT service providers. These providers, from cloud platforms to niche software vendors, are now subject to stricter contractual re- quirements , enhanced due diligence, and continu- ous monitoring imposed by their regulated clients. Inpractice, thismeansdemonstratingmature cyber- securitypostures alignedwithfinancial sector stan- dards, supporting auditability and traceability across servicedelivery, andpreparing for threat-led penetration testing (TLPT) and exit strategies em- bedded in service-level agreements. In short, DORA is redefining the expectations placed on ICT partners. Those unable to meet the elevated standards risk losing business, facing rep- utational damage, or being excluded from critical financial ecosystems. HowSOPIAD and Spike Reply NavigatedDORA’s Demands SOPIAD, a Liège-basedRegTech, provides a scien- tifically grounded investment diagnostic platform that enables financial institutions todeliver person- alised and transparent portfolio recommendations. As DORA raised expectations around ICT gover- nance, SOPIAD proactively sought to align with the evolving demands of its regulated clients. To support this, SOPIADpartneredwith Spike Reply , a cybersecurity consultancy within the Reply Group. With extensive experience working along- side financial institutions across Europe, Spike Reply brought deep insight intowhat these entities expect from their ICT partners, enabling SOPIAD to strengthen its resilience and meet compliance standards effectively. Impact of DORA on ICT Service Providers Although DORA applies directly to financial enti- ties, its influenceon ICTserviceproviders is increas- ingly tangible. Financial institutions are now required to ensure that their technology partners meet elevated standards of resilience, governance, and transparency, making compliance readiness a key selection criterion. DORA introduces a tieredmodel of ICTproviders: Category 1 includes providers of general ICT ser- vices to financial entities, such as hosting, software licensing, andhelpdesk support. Category 2 covers providers supporting Critical or Important Busi- ness Functions (CIBFs), whose disruption could materially impact financial stability or regulatory compliance. Finally, Category 3 encompasses providers designated as Critical Third-Party Providers (CTPPs) at the EU level, who are subject to direct oversight by the European Supervisory Authorities (EBA, ESMA, and EIOPA). In practice, this means ICT providers must main- tain audit-ready documentation , such as ICT risk assessment evidence and policies and procedures; answer due diligence questionnaires and client au- dits ; support incident reporting and business con- tinuity planning ; and accept contractual clauses covering audit rights, exit strategies, and subcon- tractor transparency. For instance, com- paniesmay be required todemonstrate that its platform operates within a se- cure, well-documented, and auditable environment. This could involve pro- viding evidence of data governance policies, encryption standards, and ac- cess controls, or responding to detailed due diligence questionnaires cov- ering incident response and business continuity. Evennicheproviders offer- ing proprietary analytics, portfolio modelling, or in- vestment scoring tools must now align their ICT frameworks with the ex- pectations of financial clients subject to DORA. The ability to support these requirements is increasinglyaprereq- uisite for maintaining strategic partnerships in the financial sector. Providers failing tomeet these stan- dards risk losing strategic partnerships, while those that adapt can position themselves as resilient, trusted players in a highly regulated ecosystem. “ While achieving compliance with new regulations is al- ways a challenge for any company, it is particularly true for smaller firms thatmust copewithmore limitedhuman, technical, and financial resources. Pragmatic approaches such asmodular solutions, specialised external providers, and prioritising themost significant regulatory risks help concentrate efforts onmeasures that add real value to op- erational resilience. ” added Renkin. Strengthening Compliance: HowSpike Reply Supported SOPIAD While SOPIAD had already established solid in- ternal processes, the growing expectations of its fi- nancial clients under DORA required a more formalised and consolidated approach to gover- nance and documentation. Spike Reply stepped in to provide targeted, prac- tical support aimed at elevating SOPIAD’s com- pliance maturity. The engagement began with a tailored regulatory decryption , focusing on the DORA obligations most relevant to ICT service providers. This was followed by a comprehensive gap analysis , benchmarking SOPIAD’s existing posture against DORA-aligned expectations. From there, Spike Reply delivered hands-on sup- port by drafting and refining key governance doc- uments, including ICT policies, risk management guidelines, and business continuity protocols. They also conducted internal training sessions to equip SOPIAD’s teams to handle client assess- ments and regulatory requests autonomously, while sharing best practices fromacross the Euro- pean financial sector to ensure alignment with both regulatory and market standards. Reflectingonthecollaboration,Hennauhighlighted: “ Our deep expertise and practical approach allowed us to transformcomplexregulatoryrequirementsintoactionable processes, strengthening our resilience and positioning us as a trusted partner in the financial ecosystem. ” The project concluded with the delivery of a cen- tralised“DORApackage” , a structured compliance file designed to support vendor due diligence, demonstrate operational maturity, and accelerate onboardingwithfinancial clients. Thanks to this col- laboration, SOPIAD is now better positioned to re- spond to external assessments and present itself as a secure, resilient partner in thefinancial ecosystem. Next Steps: Building Long-TermResilience With its extensive experience supporting financial institutions across Europe, Spike Reply has devel- oped a deep understanding of what these organi- sations expect from their ICT service providers. This includes knowingwhichdocuments, controls, and governance practices truly influence vendor selection and build trust. For ICT providers, this insight is critical, not only to meet client expecta- tions, but to stand out in a competitive and increas- ingly regulated market. As Renkinnotes, “Our internal preparation, challenged and enhanced by the expertise of the Spike Reply team, now enables us to quickly and easily demonstrate our ability to maintain continuous digital resilience, share our compliance processes, and provide full traceability of incidents and updates.” At the same time, the regulatory landscape is evolving. Frameworks like NIS2 are beginning to place direct obligations on ICT service providers, accelerating the need for formalised internal processes, stronger documentationandauditability, and structured governance and risk management frameworks. To support this transition, service providers can also explore public funding opportunities to co-finance compliance and cybersecurity initiatives. As regulatory expectations continue to rise, early and proactive alignment with frameworks like DORA is no longer optional; it’s a strategic differentiator. FromCompliance to Competitive Edge: Navigating the New Digital Risk Landscape By Nora SKJERDAL , Business Consultant & Michael NICHOLLS , Principal Financial Services Consulting at EPAM* A rtificial intelligence (AI) is no longer a futuristic con- cept—it’s already trans- forming organizations across industries.With the rise of genera- tiveAI (GenAI), companies have unprecedentedopportunities to in- novate, improve efficiency, andde- liver newservices. Butwithgreat power comes great responsibility: deployingAIwithout proper gov- ernance can introduce risks, under- mine trust, and slowadoption. Research shows that only 1% of compa- nies have an effective AI governance frameworkinplace.Manyareappointing ChiefAIOfficers(CAIOs),with63%ofthe most innovative companies already hav- ingone. Inother cases, responsibility rests with the Chief Data Officer or Chief Information Officer. Regardless of title, leadership andgovernance are crucial for aligning AI strategies with broader busi- ness objectives. Strong policies, riskman- agement, and ethical oversight ensureAI delivers value safely and sustainably. Building the Foundation of ResponsibleAI Responsible AI starts with a framework groundedinethicalprinciplesandhuman values. Four pillars are critical: - Human-centricity – AI should enhance well-being and provide transparency about its operations. - Safety and governance – Rapid techno- logical change requires robust controls to mitigate risk. - Fairness and reliability –AImust benefit allusersequally,avoidingbiasordiscrim- ination. - Regulation and compliance – Trust depends on adherence to legal and regu- latory standards. When organizations embed these princi- ples into daily operations, AI adoption accelerates, innovation flourishes, and risks are mitigated. One case study demonstrates how a structured pro- gram—starting with a discussion on AI principles and evolving into a guided implementation—enabled smooth adop- tion across the organization, integrating values directly into workflows and deci- sion-making. Culture andEngagementAreKey Technologyaloneisn’tenough.Successful AI deployment requires an informed, engagedworkforce.Organizationsshould clearly communicateAI’s capabilities and limitations and provide reporting chan- nels for questions or incidents. Astrongonboardingprocessandongoing education foster a culture of responsible AI, where employees actively contribute to optimization and safe usage. Flexibility in a Changing Landscape AI evolves constantly, andorganizations must adapt. Transparency is critical: users should know when they’re inter- acting with AI, understand its capabili- ties, andhave access to information suit- ed to their knowledge level. Responsible data practices—such as clear consent and securedatahandling—further build trust and ensure predictable, ethical interactions. Actively gathering user feedback allows companies to refine systems andenhance functionality. Equally, clear explanations and alternative pathways help users understanderrorsorunexpectedoutputs, maintaining confidence inAI tools. ResponsibleAIDrives Sustainable Innovation ResponsibleAI is oftenmisunderstood as rigidcompliance,butit’sfarmoredynam- ic.It’saboutfosteringaculturewhereeth- ical AI use is embedded into everyday practice. Organizations that embrace these princi- ples achieve better business outcomes whilegeneratingsocietalvalue—andhelp shape the evolving regulatory landscape. Far from limiting innovation, responsible AI is a catalyst for sustainable progress. *https://www.epam.com/ Innovating with Integrity: Why ResponsibleAI Is Essential Abonnement aumensuel (journal + éditiondigitale) 1an(11numéros)=55€abonnementpourLuxembourgetBelgique-65€pourautrespays L’édition digitale du mensuel en ligne sur notre site Internet www.agefi.lu est accessible automatiquement aux souscripteurs de l’éditionpapier. NOM:....................................................................................................................................................................... ADRESSE:.............................................................................................................................................................. LOCALITÉ:............................................................................................................................................................ PAYS:....................................................................................................................................................................... TELEPHONE:...................................................................................................................................................... EMAIL:.................................................................................................................................................................... - Je verse ……€ au compte d’AGEFI Luxembourg à la BIL / LU71 0020 1562 9620 0000 (BIC/Swift : BILLLULL) -Jedésireunefacture :...................................................................................................................................... -N°TVA : ................................................................................................................................................................ Abonnement aumensuel en ligne Sivouspréférezvousabonnerenligne,rendez-vousàlapage‘S’abonner’surnotresiteIn- ternet https://www.agefi.lu/Abonnements.aspx Abonnement à notre newsletter / Le Fax quotidien (5 jours/semaine, du lundi auvendredi) Informations en ligne sur https://www.agefi.lu/Abonnements.aspx Abonnez-vous / Subscribe ©Freepik