CSSF 25/883 amends 22/806: continuous cloud oversight

On 9 April 2025, the CSSF issued circular 25/883 amending 22/806 with immediate effect to align ICT outsourcing (notably cloud) with DORA. A CSPM setup reduces leak risk and provides continuous evidence of compliance.

The facts

The CSSF clarifies scope: for DORA entities, Part II of 22/806 (ICT/cloud) no longer applies, and ICT requirements are taken up and completed by CSSF circular 25/882; for non‑DORA entities, 22/806 remains fully applicable. Certain cloud‑specific clauses (EEA governing law, cloud resilience in the EEA) are removed for DORA harmonization. Associated forms and FAQs were updated (critical/important ICT notification form — version 5 dated 10 July 2025). Official sources: CSSF 25/883 and CSSF 22/806 (updated 9 April 2025).

Why act now? Cloud incidents are rising: on 31 March 2026, Cisco confirmed source code theft after a development environment breach, with cloud access leveraged in the attack chain. See BleepingComputer (31 March 2026).

The applicable legal framework

• CSSF 22/806 as amended by CSSF 25/883: outsourcing register, due diligence, critical/important assessment, governance, ongoing supervision, sub‑outsourcing, exit plans, risk‑proportionate controls. DORA interplay: DORA entities fall under ICT/third‑party rules via DORA and CSSF 25/882; non‑DORA entities: 22/806 fully applies. See the PDF text of 25/883.
• DORA (Regulation (EU) 2022/2554): harmonized requirements for ICT risk management, third‑party providers, continuous monitoring, testing and inventories. Expectations detailed on the CSSF page ICT and cyber risk (DORA). For a consolidated overview, see our page on DORA and operational resilience.

What the supervisor expects

• Clear governance and an exhaustive outsourcing register with critical/important classification.
• Ongoing supervision of cloud provider security controls, traceable and risk‑proportionate (monitoring, evidence, remediation).
• Ability to demonstrate effectiveness: cloud asset inventory, logging, secure configurations, incident detectability, exit and continuity plans.

The technical solution: CSPM (Cloud Security Posture Management)

A CSPM addresses continuous monitoring and evidence obligations:

• Continuously inventories multi‑cloud resources and maps exposure surfaces (storage, networks, identities/permissions, secrets).
• Real‑time compliance checks via policy packs (CIS AWS/Azure/GCP, EBA/DORA good practices, CSSF guidance, ISO 27001, NIST CSF) and alerts on drift.
• Detects critical errors: public storage, non‑rotated access keys, overly permissive IAM, exposed admin ports, disabled logs, missing encryption, forbidden regions, orphaned resources.
• Orchestrates remediation: automatic/semi‑automatic playbooks (close public bucket access, enable encryption, apply a guardrail policy).
• Collects evidence artefacts: versioned reports, control traceability, before/after scoring — essential for CSSF/DORA audits.

Frameworks

• ISO/IEC 27001:2022 – Annex A: 5.23, 8.15, 8.16, 8.32.
• NIST CSF 2.0 – PR.AA, PR.DS, DE.CM.
• CIS Controls v8 – 4, 8, 15.

Governance must steer these controls. Our fractional CISO experts structure cloud policies, committees and KPIs to drive posture.

Link to CSSF/DORA compliance

• 22/806/25/883 require a proportionate, documented and supervised control system: CSPM provides continuous verifiability, a technical risk register and reports for eDesk/notifications.
• For DORA entities, CSPM feeds the ICT third‑party register and operational controls expected by CSSF 25/882 (third‑party monitoring and related evidence). Also see the CSSF page ICT and cyber risk (DORA).

How Luxgap delivers

• ISO 27001 governance: cloud policies (allowed regions, encryption, logging, tagging, IAM), criticality analysis, CSPM integrated into internal control.
• 24/7 managed SOC: ingest CSPM alerts into the SIEM, correlate with access/identity logs, prioritize by criticality and time‑to‑fix. Explore our managed SOC and incident detection.
• Externalized DPO/CISO consultants: map processing and data flows, align with DORA/22‑806/25‑883, prepare audits/inspections, update the outsourcing register and evidence.

1. Read‑only audit to establish a baseline.
2. Guardrails configured by framework (CIS, ISO 27001, CSSF/DORA requirements).
3. Integrate CSPM into the IaC pipeline to prevent drift pre‑prod.
4. Define RACI, remediation SLAs and executive reporting.

Case study (Luxembourg/EU)

A Luxembourg management company outside DORA (22/806 applicable) deployed a multi‑cloud CSPM in six weeks:

• 132 critical non‑conformities detected in week one (public storage, disabled logs, persistent keys).
• IaC guardrails: 86% of drifts prevented pre‑deployment within two months.
• Outsourcing register enriched with control sheets and quarterly risk committee reports; evidence available for the CSSF.

First practical steps

• Map accounts/projects/subscriptions and separate DORA vs non‑DORA; define 22/806/25/883 vs 25/882 scope (see our page on DORA and operational resilience).
• Enable centralized logging and default encryption; forbid public storage creation without approved exceptions.
• Deploy a read‑only CSPM: inventory, CIS benchmarks, critical alerts (network exposure, unencrypted data, broad IAM).
• Integrate CSPM into CI/CD and enforce shift‑left policy checks.
• Update the outsourcing register with CSPM reports, cloud policies and remediation SLAs; schedule a monthly review board.

Official sources

• CSSF — Circular 25/883 (9 April 2025): https://www.cssf.lu/fr/Document/circulaire-cssf-25-883/ and PDF: https://www.cssf.lu/wp-content/uploads/cssf25_883.pdf
• CSSF — Circular 22/806 (updated 9 April 2025): https://www.cssf.lu/fr/Document/circulaire-cssf-22-806/
• CSSF — ICT and cyber risk (DORA entities): https://www.cssf.lu/en/ict-and-cyber-risk-for-dora-entities/
• Security news — breach involving cloud/dev environments (31 March 2026): https://www.bleepingcomputer.com/news/security/cisco-source-code-stolen-in-trivy-linked-dev-environment-breach/

Need support? Reach out via the Luxgap page.