LUXEMBOURG Trends and Developments Contributed by: Claire Guilbert, Geoffroy Hermanns and Cyril Clugnac, Norton Rose Fulbright
One of the most significant changes of the AML Package is the creation of the AAMLC and its ambition of a unified AML/CFT supervisory approach. The AAMLC will seat in Frankfurt and Main in Germany and assume most of its tasks and powers by 1 July 2025, although its direct supervision power will only commence in 2028. Preparing the Digital Operational Resilience Act The innovative regulatory framework address - ing the risks posed by the digital transformation of financial services (as well as the increase in volume and severity of cyber-attacks within the sector), the Digital Operational Resilience Act – known under the widely used acronym DORA (ie, Regulation (EU) 2022/2554 of 14 December 2022) – entered into force on 16 January 2023 and is fast approaching the start of its applica - tion (and enforcement) period, commencing on 17 January 2025. DORA has required a long preparation period for all in-scope entities as well as deep fine-tuning by the European Supervisory Authorities (ESAs), which culminated with the adoption by the Euro - pean Commission, on 23 October 2024 and 24 October 2024, of regulatory technical standards (RTS) and implementing technical standards (ITS) based on the ESAs’ draft published ear - lier this year (through two delegated regulations supplementing DORA), namely: • an RTS specifying the content and time limits for the initial notification of, and intermedi - ate and final report on, major information and communication technology (ICT)-related incidents, and the content of the voluntary notification for significant cyberthreats; • an accompanying ITS regarding the stand - ard forms, templates and procedures for financial entities to report a major ICT-related
incident and provide notice of a significant cyberthreat; and • an RTS on the harmonisation of conditions enabling the conduct of the oversight activi - ties. It is now up to the Council of the EU and the European Parliament to scrutinise these two delegated regulations for a maximum of three months, after which, absent objection, they will be published in the Official Journal of the EU and enter into force 20 days later. However, the European Commission has yet to adopt two sets of RTS: the first on the criteria for determining the composition of the joint exami - nation team and the second on thread-lead pen - etration testing, the ESA’s drafts of which were published on 17 July 2024, as well as one set of ITS on the register of information (which is likely to stem from the expressed divergences concerning the latter between the ESAs and the European Commission regarding the inclusion of a European unique identifier for financial entities, where the European Commission seems to still favour the more traditional legal entity identifier (LEI) code, at least as an option, when identify - ing ICT third-party service providers registered in the EU). The European long-term investment fund RTS finally cross the line On 19 July 2024, a rarely seen ping-pong match between ESMA and the European Commission on the draft RTS under version 2.0 of Regulation (EU) 2015/760 on European long-term invest - ment funds (ELTIFs) (as amended by Regulation (EU) 2023/606 of 15 March 2023 – ie, ELTIF 2.0), came to an end. The legislative process between ESMA and the European Commission has been unusually
367 CHAMBERS.COM
Powered by FlippingBook