CSSF: DORA takes precedence and clarifies ICT outsourcing (Apr 2025)

Trigger. On 15 January 2025, CSSF confirmed that as of 17 January 2025, DORA and its RTS/ITS published in the OJEU prevail over any overlapping CSSF circular provisions (including 20/750, 22/806, 24/847). See the notice: cssf.lu.

On 9 April 2025, CSSF aligned several circulars with DORA and issued Circular 25/882 governing the use of third‑party ICT services (prior notification, register of information, cloud clarifications). See the notice: cssf.lu. The EU framework remains the Regulation (EU) 2022/2554 (DORA).

For Luxembourg operations, the thematic page “ICT and cyber risk – for DORA entities” (updated 2026) details competent authorities, RTS/ITS, and Circular 25/882 scope (cloud, designated officer, backups, prior‑notification timelines): cssf.lu.

For a broader view of the DORA framework and its interplay with national texts, see our law page.

The case

• Primacy (15/01/2025): DORA and its OJEU RTS/ITS prevail over overlapping CSSF circulars; details on DORA notifications via eDesk and the 2025 register of information (RoI) calendar. Source: cssf.lu.
• Circular updates (09/04/2025): selective adoption of EBA ICT risk guidelines for PSPs, refocusing 22/806 on non‑ICT outsourcing for DORA entities, and creation of CSSF Circular 25/882 on third‑party ICT use (prior notification, RoI). Source: cssf.lu.
• Authorities: CSSF (financial sector) and CAA (insurance) are DORA competent authorities. Details: cssf.lu.

Legal reasoning

• Direct applicability: As an EU regulation, DORA applies directly and prevails locally where overlapping occurs. Reference: cssf.lu.
• ICT outsourcing and RoI: DORA Chapter V, notably Article 28, mandates a register of information for all ICT arrangements, exit/reversibility planning, and timely prior information to the authority for critical or important functions. Text: eur-lex.europa.eu.
• CSSF operationalisation (25/882): rules on prior notification (3 months standard; 1 month for certain support PSF under LFS art. 29-3), cloud requirements (definition, governance, designated officer), and RoI specifics (format, eDesk channels, controls). Details: cssf.lu.
• Incidents: switch to harmonised DORA forms (initial, intermediate, final) via eDesk; legacy schemes discontinued for DORA entities. Ref.: cssf.lu.

What changes in practice

• For DORA entities (banks, managers, PSPs, etc.): align ICT risk and ICT outsourcing policies/processes with DORA (Level 1 + RTS/ITS). Legacy circulars are no longer sufficient where overlapping applies. Boards must approve a third‑party ICT policy and maintain a comprehensive RoI. Ref.: cssf.lu.
• Cloud: 25/882 mandates governance, a designated “cloud” officer, specific backups (accounting/client positions), and prior notification for critical/important functions (up to 3 months). Details: cssf.lu.
• Register of information (Art. 28): eDesk windows, quality checks, and potential ESAs rejections. Prepare normalised data (CSV) and internal validations. Ref.: cssf.lu.
• Incidents: use “DORA Major ICT-related incident and significant cyber threat notification” via eDesk; align with GDPR Art. 33 if personal data are impacted. Ref.: cssf.lu.

Organisations addressing DORA in Luxembourg should also orchestrate clear links with information security, continuity and supplier management.

Quick examples

• Core banking migration to SaaS: notify 3 months before signing if the function is critical/important; include DORA clauses (audit rights, data location, exit) and a tested reversibility plan. Details: cssf.lu.
• Managed SOC tooling: record the arrangement in the RoI, assess criticality, and set RTS‑compliant KPIs/SLAs and security obligations. Ref.: eur-lex.europa.eu.
• DDoS incident: if DORA thresholds are met, file the initial report via eDesk per CSSF procedure; coordinate with the DPO for GDPR Arts. 33/34. Ref.: cssf.lu.

As preparation, anticipate your business continuity and recovery plans and RoI data quality.

Common pitfalls

1. Relying on “20/750 or 22/806” attestations: where overlapping exists, DORA prevails. Map your policies/contracts to DORA before audits. Ref.: cssf.lu.
2. Underestimating the RoI: supplier identifiers, applicable law, sub‑outsourcing chains, group links. Anticipate validation rules and required granularity. Ref.: cssf.lu.
3. Missing prior notification: Circular 25/882 timelines (up to 3 months; 1 month for certain support PSF). Ref.: cssf.lu.
4. Outsourcing incident notifications without a clear framework: prior information required (contacts, LEI, eDesk roles); the entity remains responsible. Ref.: cssf.lu.
5. Not aligning the internal operating model: defined roles/skills (e.g., cloud officer), board‑approved policies, and clear links with security, continuity and vendor management. Ref.: cssf.lu.

Official sources

• CSSF — Entry into application of DORA (15/01/2025)
• CSSF — Updates of several circulars (09/04/2025)
• CSSF — ICT and cyber risk – for DORA entities (2026)
• EUR‑Lex — Regulation (EU) 2022/2554 (DORA)

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.