Overview and recommendations
The luxury market continues to grow globally and is expected to reach €2.5 trillion by 2030[1]. The health of this sector is therefore having an increasingly significant impact on the economy. This is especially true for France, where the sector is well represented in the CAC 40[2]. Thus, in this machine made of leather and silk, a single grain of sand can cost tens of millions of euros and have a lasting impact on the image of these companies. Yet, the risk factors are numerous.
Like all sectors, luxury is impacted by geopolitical instability and climate change:
On one hand, due to the high internationalization of its value chain (in 2023, French luxury companies exported goods worth €50.6 billion[3]); on the other hand, because of its high dependence on high-quality natural resources, particularly leather, textiles, and minerals.
In recent years, luxury companies have significantly accelerated the digitalization of their business processes, from manufacturing to sales. Their critical functions increasingly rely on assets exposed to IT incidents, whether caused by cyberattacks or not. Notably, the growing use of AI and IoT is a strong differentiator from a business perspective, but it also increases exposure to technological risks that are still partially identified and mitigated due to their novelty.
As a result, the sector faces a key challenge: how to ensure its sustainability in the context of growing threats? In response, a fundamental concept is gaining traction among major luxury Houses: operational resilience. What is the state of the art in the luxury sector regarding operational resilience? What mechanisms are being deployed by luxury brands to ensure the resilience of their critical activities?
Operational Resilience Applied to Luxury
Armed forces were among first to adopt the concept of operational resilience, defining it as:
“The ability to face the consequences of a traumatic crisis and bounce back, acting effectively despite a degraded environment and the human, organizational, and technical damages they [the military] may have suffered.”[4]
While this definition has a strong military tone, it nonetheless conveys a goal that any organization can pursue: the ability to withstand major disruptions and recover. Today, operational resilience has begun to permeate all sectors, from energy to healthcare, including luxury. This trend has been notably driven by the rise of regulations and standards dedicated to operational resilience, especially in the financial sector (DORA, Solvency II, PCI DSS…).
At Wavestone, we consider operational resilience to be structured around seven key pillars, inspired by best practices, notably the ISO 22301[5] standard, as well as European regulations. The luxury sector is well-suited to building these pillars, provided its specificities are considered.
Pillar 1: Critical activities and assets knowledge
This involves identifying and improving knowledge of what needs to become resilient among all business processes and assets of the organization. Two approaches exist:
- An exhaustive approach, based on a Business Impact Assessment (BIA) across all organizational processes, providing a global view of activities and identifying critical processes and their supporting assets (IT infrastructure, applications, workshops…). However, this approach is time-consuming and does not add significant value to implementing an efficient resilience strategy.
- A pragmatic approach, based on a limited impact analysis concerning organization’s critical processes, identified beforehand by top management. This faster and higher-value approach allows early focus on analyzing processes recognized as vital by the business, then tracing back to applications and infrastructures that support them.
This mapping is a crucial starting point to focus efforts on what truly matters for the organization. In the luxury sector, particular attention should be paid to the following asset categories: human resources with rare expertise, raw materials, manufacturing tools, and assets related to logistics and payment.
Pillar 2: Risks Management
The goal is to tailor operational resilience measures to the entity’s risk profile, focusing efforts on preventing the most impactful and likely risk scenarios.
In the luxury sector, it is useful to consider all risks that could affect the entity’s operations, especially those related to geopolitical instability, climate change, and IT/OT, which could impact the supply of rare raw materials, production, and distribution.
Pillar 3: Implementation and Continuous Improvement of Continuity Solutions
The target is to implement relevant resilience measures, notably through business continuity plans that address identified risks and focus on critical activities.
In the luxury sector, it is useful to define these measures with business teams in a pragmatic and essential way. The idea is for resilience measures to integrate seamlessly into business processes, improving their quality while avoiding being perceived as an additional constraint.
Moreover, luxury professions are often artisanal, with people being the sole holders of a clear vision of their processes (in other words, their craft). The resilience of their work largely depends on them. An interesting approach would be to reverse the usual method: instead of formalizing a continuity procedure and then testing it, conduct a workshop/test with business teams to formalize a procedure based on the best practices they would naturally implement.
Pillar 4: Third-party risk management
The objective is to have sufficient knowledge of the third parties involved in the entity’s critical activities and to ensure they do not pose an obstacle to their resilience. In the luxury sector, the nature of third parties presents specific characteristics that must be considered. On one hand, they are often artisans or very small businesses (VSBs) that have not worked on their own resilience. On the other hand, some third parties are the only ones able to deliver the level of quality sought by the luxury House, which may place the latter in a position of dependency. A dedicated reflection is therefore needed to co-develop resilience solutions with these third parties, notably through crisis management exercises.
Pillar 5: Crisis management capability
This involves setting up a framework to manage all types of crises that may arise and that the entity will need to manage: IT, cyber, safety, and business-related. Entities in the luxury sector, due to their “manufacturing” nature, often operate numerous geographically dispersed sites, hosting a variety of professions. These elements must be taken into account to adapt the crisis management framework and ensure that relevant exercises are conducted.
Pillar 6: IT systems resilience
Given its central role and the technical complexity, it entails, the information system requires particular attention to ensure it is sufficiently protected against threats and can maintain the continuity of its critical services, even in degraded conditions. In the luxury sector, where digitalization process remains relatively recent or still ongoing, a major strategic opportunity emerges integrate resilience considerations from the design phase.
Pillar 7: Resilience culture and governance
At the heart of the approach, developing an operational resilience strategy is essential, led by clearly identified stakeholders. It is equally important to build on the unique corporate culture of each luxury House — a true driver of employee engagement — by progressively embedding a culture of resilience.
The state of operational resilience in the luxury sector
To establish this overview, we relied on the results of our CyberBenchmark and OpResBenchmark. These two tools respectively assess the maturity level of entities in terms of cybersecurity and operational resilience, while positioning them relative to the rest of the market.
The combination of these tools allowed us to consolidate data from the evaluation of over 150 entities, including a significant number from the luxury sector.
These insights enable us to present the overview below, illustrating the sector’s maturity level across all seven pillars of operational resilience.
According to 2025 data of the Wavestone’s CyberBenchmark and OpRes Benchmak
Upon reviewing this data, the most obvious finding lies in the market average (47.5%):
Entities across all sectors appear to be not very resilient. However, there are significant disparities, particularly depending on the level of regulation in each sector.
Naturally, the financial sector, currently undergoing compliance with DORA (Digital Operational Resilience Act), shows a high level of maturity across all pillars.
Meanwhile, the energy sector, also regulated, must contend with complex industrial systems and heavy legacy infrastructures, which complicate its operational resilience.
The context of the past five years – marked by major challenges to business continuity (COVID-19, military conflicts, rising cyber threats, etc.) – along with the operational resilience recognition in several regulatory texts (e.g., DORA, CER, CRA, NIS 2) seems to be reversing the trend. We are seeing more entities becoming aware of the importance of operational resilience and beginning to launch significant initiatives to address the issue.
In terms of maturity, the luxury sector stands out with an average of 53.4%.
Even though it is not directly targeted by regulation, we have observed a proactive approach to the topic, particularly from CISOs of luxury Houses, who have initiated numerous resilience-related projects. Accustomed to the pursuit of excellence, the luxury sector is embracing the topic voluntarily, convinced that it represents a strategic challenge for the future.
This position even seems to allow it to leverage best practices established by regulation, focusing on what matters most, without being burdened by compliance constraints or oversight from authorities (incident reporting, audit preparation, evidence sharing…).
In practice, this translates into the sector being ahead of many other unregulated industries in terms of operational resilience — even though we are still at the beginning of the journey.
On crisis management and IT resilience
The consequences of poorly managed crises are often severe — financially, legally, and reputationally. We can easily imagine, for a luxury House, the impact of being unable to process customer payments or a fire affecting a raw materials warehouse. Luxury brands have therefore long been structured to manage the crises they face.
However, these crises now frequently originate from incidents affecting information systems.
In 2022, 62% of luxury sector companies were victims of ransomware attacks, resulting in average financial losses of around €5 million per incident. At the same time, stolen data is increasingly circulating on the Dark Web. According to Dark Web Monitor, listings offering sensitive information — such as upcoming product plans or confidential marketing strategies — have increased by 78%. For example, in 2022, the Italian House Moncler suffered a data breach, with a ransom demand of $3 million to prevent the disclosure of information related to its wealthiest clients[6].
Crisis management therefore relies heavily on IT resilience mechanisms, which materialize the decisions made by the crisis unit. These mechanisms include backups, flow blocking, and workaround solutions. They also play a key role in incident prevention and detection, through tools such as EDRs, IDS/IPS probes, automated patch deployment, and regular configuration testing.
On third-party risk management
The sector’s maturity on this pillar is largely due to the historical awareness among luxury companies of the criticality of their value chains, both upstream (leather, silk, precious stones sourcing…) and downstream (finished product distribution). These value chains involve numerous external providers — extraction, maritime or road transport, logistics hubs — whose failure can lead to major commercial consequences.
Among the suppliers of major luxury Houses, one often finds small artisanal businesses, holders of rare and hard-to-replace expertise. At first glance, their small size might suggest low risk management maturity. However, due to their strategic value, these artisans receive special attention. Luxury Houses adopt a collaborative approach to support them in managing their risks, including in the IT domain, even though IT systems remain limited in these artisanal structures. This collaboration takes the form of regular audits, sharing of best practices, and in some cases, acquisitions that allow for full integration and maturity development aligned with the standards of the luxury House.
On understanding critical activities and assets
This pillar is particularly complex to master for luxury entities, which are generally divided into Houses/entities with very different business lines, sometimes spread across multiple continents. This structure gives a certain autonomy to the various business units, which can complicate the proper sharing of information with the teams responsible for resilience at the group level.
On governance and resilience culture
This pillar is the least well mastered by the sector. Luxury even ranks slightly below the market average. Indeed, roles and responsibilities are rarely clearly defined, and a common governance structure is often nonexistent. As a result, several similar projects may compete with one another, or be handled incompletely (e.g., from an IT perspective without considering BIAs conducted by business teams).
Our recommendations to improve operational resilience in the luxury sector
Wavestone supports multiple entities across all sectors in their operational resilience initiatives. Considering specificities of the luxury sector mentioned earlier, we identify four key recommendations:
Draw inspiration from regulations while remaining pragmatic (DORA, CER, NIS 2, Solvency II, LPM, etc.): Luxury is not directly subject to these regulations, yet it is relevant to leverage them as best practice frameworks. With DORA, the financial sector is progressing rapidly on the topic, and its feedback and experience can be valuable to the luxury sector. Obviously, it is essential to remain pragmatic and retain only the measures that are relevant to the specific luxury entity and its characteristics. It is important to avoid overloading business teams with purely regulatory requirements, which are primarily designed to help supervisory authorities fulfill their role.
Test and learn: Testing is an essential component of an operational resilience strategy.
It is through testing that one can measure the effectiveness of continuity solutions (BCP, DRP, crisis management tools, etc.), draw lessons, and continuously improve them.
Notably, threat-based penetration testing (as described in DORA and the TIBER-EU framework) allows for end-to-end testing of operational teams, including third parties, and can therefore be highly insightful even outside the financial sector.
Establish a Group-level strategy: This helps avoid contradictory initiatives at the entity level and/or between IT/Cyber teams and business units, while also enhancing efficiency. Moreover, this strategy allows for the definition of a target maturity level, tailored to the specific needs of each entity.
Build on existing foundations: Due to their specificities, luxury entities may have already implemented continuity solutions and/or governance structures suited to operational resilience (third-party management, crisis management, cybersecurity programs, etc.).
It is important not to start from scratch, but rather to capitalize on existing assets to initiate a tailored approach.
[1] Luxury in Transition: Securing Future Growth, Bain & Company
[2] The main French stock index
[3] Le luxe français : pourquoi ce secteur déjoue toutes les crises, La Fabrique de l’industrie
[4] Doctrine interarmées, DIA-3.4.1_RESILIENCE, N° 23/ARM/CICDE/NP du 08 février 2022.
[5] This standard defines features of a “business continuity management system”
[6] À quels enjeux de cybersécurité les grands noms du luxe sont-ils confrontés ?, L’Usine Digitale
