Karim Bouaissi, EY Luxembourg Consulting Partner – Cyber & Digital Risk

 

On an autumn Friday evening, Tom*, the risk management lead at FinokLux* Capital, is about to leave the office. A warning pops up on his dashboard: AuroraShield*, the artificial intelligence deployed by the company to monitor IT and third-party risks, has detected a data exfiltration attempt via a plugin used by a critical vendor.

 

The new language of risk in Luxembourg

Trained on behavioral models and cyber threat scenarios, AuroraShield analyzes real-time data flows between FinokLux and its service providers. It identifies anomalies, assesses their severity based on DORA criteria, and proposes automated responses. In this case, it blocks access, alerts the IT teams, classifies the incident as major, and generates a draft report for the CSSF, including evidence, actions taken, and potential impacts.

This fictional scenario reflects a vision of IT and third-party risk management that is an imminent reality.

This future, closer than we think, will become tangible as advanced technologies like AI are harnessed through rigorous governance, driven by a culture of trust built on transparency, anticipation, and continuous improvement, and supported by a deep understanding of risks and AI-related challenges.

 

Luxembourg, a leading European hub for finance and technology, is entering a pivotal phase.

Artificial intelligence, accelerated digitalization, and new regulations such as DORA, the AI Act, and NIS2 are reshaping how financial institutions manage IT and third-party risks.

While Luxembourg offers a stable regulatory environment, Tom must navigate structural constraints: his company, like many others, is a subsidiary of a global group, relying on headquarters for strategic direction and technological tools. Internally, limited resources in risk, compliance, and IT reduce agility. And externally, the growing dependence on ICT third parties, combined with increasingly stringent reporting requirements from the CSSF and EU regulators, adds complexity and pressure to his daily operations.

 

Integrating AI into business processes brings efficiency gains but also raises major concerns.

Algorithmic bias, transparency of automated decisions, and increased reliance on technology providers, the European AI regulation now imposes ethical and traceability standards, requiring companies to audit their algorithms and document their models.

Managed services, especially in cloud and cybersecurity, allow organizations to outsource critical functions. However, this delegation complicates accountability chains and exposes companies to third-party risks that are often poorly managed.

In Luxembourg, Professionals of the Financial Sector play a unique and strategic role in managing IT and other outsourced services. These entities are not only regulated by the CSSF, but also operate under strict legal and operational conditions, making them more robust and trustworthy than similar providers in many other jurisdictions.
On top of that, the regulatory landscape demands extensive documentation and traceability requirements that can overwhelm operational teams and slow decision-making.

For Tom, each incident or anomaly flagged must be not only resolved, but also reported, documented, and aligned with CSSF expectations adding layers of complexity to already stretched resources.

 

What to do?

To navigate this environment, institutions are increasingly turning to Governance, Risk & Compliance platforms that centralize controls, policies, incidents, and regulatory obligations into a single, auditable framework. Others choose to delegate IT and systems responsibilities to trusted third parties, such as regulated Professionals of the Financial Sector, to ensure resilience, scalability, and regulatory alignment. These approaches empower organizations to minimize financial exposure, ensure operational continuity, strengthen stakeholder trust, and maintain long-term regulatory alignment.

 

Third-party risk management (TPRM) is becoming a cornerstone.

According to the EY 2025 Global Third-Party Risk Management Survey,[1] 72% of respondents identify cyberattacks as the most concerning third-party risk.

A recent and striking example: Luxembourg’s government websites were inaccessible for nearly two hours following a distributed denial-of-service (DDoS) attack. The incident, confirmed by the State Information Technology Center, is part of a series of targeted attacks on the country’s digital infrastructure. The origin and perpetrators remain unknown.[2]

This event highlights the vulnerability of critical services even when operated by trusted third parties. It underscores the need for continuous monitoring, tailored response plans, and close coordination between public and private stakeholders.

 

GRC platforms are becoming strategic engines.

By centralizing policies, controls, incidents, and regulatory obligations into a single, auditable framework, they simplify traceability and accelerate decision-making. AuroraShield, though fictional, illustrates this shift: an AI embedded in a GRC environment, capable of detecting, qualifying, documenting, and triggering incident responses — all while staying aligned with DORA and NIS2 requirements.

Tom sees the benefits firsthand. AuroraShield not only helps him manage incidents in real time, but also supports regulatory alignment and internal coordination, turning complexity into clarity.

This convergence of technology and governance helps organizations move from reflection to execution. It transforms technical challenges into business levers—minimizing financial exposure, ensuring operational continuity, and reinforcing stakeholder trust.

Some institutions go further. They build alternative infrastructures for vital functions and prepare for extreme scenarios: redundant systems, isolated backups, and contingency operations centers ready to take over in case of cyberattacks, supplier failures, or geopolitical disruptions. These organizations conduct stress tests, simulate black swan events, and design multi-layered continuity plans that go beyond compliance. In doing so, they not only protect their core business but also demonstrate a proactive posture that reassures regulators, clients, and investors alike.

 

The Pillars of a trust culture

This approach is rooted in a culture of trust, built on:
– Transparency: making risks visible and understandable
– Anticipation: acting before threats materialize
– Continuous improvement: adapting systems to evolving conditions

Together, these pillars form the foundation of a resilient, forward-looking risk culture: one that turns compliance into confidence and uncertainty into strategic opportunity.

 

Conclusion

The approach ultimately is almost Darwinian: “It’s not the biggest or most powerful organizations that will overcome major crises, but those that adapt most quickly to change.”

IT and TPRM risk management is no longer just about compliance. It is becoming a vector of transformation, trust, and performance.[3]
No organization is immune to incidents, attacks, or third-party failures. But those that fare best are those that have anticipating threats, prepared their response, structured their critical functions, integrating regulatory requirements and invested in robust systems internally or through specialized partners.

Resilience then becomes a competitive advantage: a company that can continue operating during a crisis strengthens its credibility, value, and ability to inspire trust.

 

[1] ey-gl-2025-ey-global-third-party-risk-management-survey-05-2025.pdf

[2] DDoS attack brought down government websites for 2 hours — Luxtoday.lu

[3] Turning Cyber, Digital Compliance and Risk into Opportunities | EY Luxembourg