Unpacking compliance, security and AI.
Our DPOs and CISOs regularly share their take on regulatory and technical news here: new CNPD guidelines, notable sanctions, incident lessons learned, evolutions on the AI Act, NIS 2 and DORA. To go beyond the press release.
5 articles found · #dora · Expertise Luxgap
DORA vs NIS 2 in Luxembourg: which regime prevails in an incident?
On 18/09/2023, the European Commission confirmed that sectoral acts prevail over NIS 2 as lex specialis where requirements are equivalent. DORA is one of them: in Luxembourg, the CSSF oversees incident notifications for financial entities.
DORA Art. 28: CSSF turns up the heat on the ICT dependencies register
As of 16 March 2026, only 40% of entities had filed their DORA Art. 28 register. CSSF warns: ESAs’ quality checks, potential rejections and tight resubmission windows, with a 30 June “best effort” for some branches.
CSSF: DORA takes precedence and clarifies ICT outsourcing (Apr 2025)
CSSF confirmed DORA’s primacy from 17 January 2025 and issued Circular 25/882 to govern third‑party ICT use, the Article 28 register of information, and incident notifications via eDesk.
DORA — TLPT framed by Delegated Regulation (EU) 2025/1190
The Commission clarified TLPT under DORA via Delegated Regulation (EU) 2025/1190. In Luxembourg, the CSSF is the TLPT authority: timeline, scope, and method are now clear.
DORA Article 28: the 'ICT dependencies register' expected by the CSSF
Since 17 January 2025, all financial entities subject to DORA must keep a structured register of their ICT contracts. The CSSF has specified the timeline and submission modalities in Luxembourg.