← All articles

consultant

CSSF — DORA: ICT register due March 31, 2026; inventory is critical

The CSSF opened the DORA ICT register collection with stricter validations. Without an automated, reliable inventory/CMDB, submissions risk rejection and supply chain blind spots remain.

At a glance — The CSSF opened the DORA “ICT services register” collection on 11 February 2026, with a deadline on 31 March (extended to 30 June for certain third‑country branches). ESA validations are stricter: a register accepted in 2025 may be rejected in 2026 if data quality falls short. Meanwhile, the Klue supply‑chain attack that exposed data at LastPass underscores the need for a precise inventory of integrations and providers.

Key facts

The CSSF confirmed the eDesk submission window from 11 February to 31 March 2026 and warned of tighter validation checks versus 2025. See the communications dated 11/02/2026 and 17/02/2026 (deadline extended to 30/06/2026 for certain branches), as well as the page on ICT and cyber risk for DORA entities. Update: 03/2026.

On the threat side, LastPass confirmed on 23 June 2026 a compromise via the Klue supply‑chain attack: stolen OAuth tokens exposed data in Salesforce, without access to vaults. Details: BleepingComputer.

Applicable legal framework

  • DORA Art. 28(3): exhaustive register of ICT arrangements with third‑party providers at entity/sub‑consolidated/consolidated levels, with annual transmission to the supervisor. CSSF refs: 11/02/2026, 03/2026.
  • NIS 2 Art. 21(2)(d): asset management and supply‑chain security among the minimum risk‑management measures. Text: EUR‑Lex.
  • CSSF 25/882: requirements for using third‑party ICT services (selection, clauses, oversight) and alignment with DORA. Refs: Circular 25/882 and CSSF page.

For additional context, see our page on DORA and operational resilience and the implications for NIS 2 essential entities.

The technical solution: inventory and CMDB

Objective: a single, up‑to‑date repository of assets and services (on‑prem, cloud, SaaS), owners, dependencies, data, criticality, contracts/DPAs, DORA clauses, SLAs, notification duties, integrations (API/OAuth), and locations (EU/third countries). Alignment: ISO 27001:2022 A.5.9, A.5.19; NIST CSF 2.0 ID.AM; CIS Controls 1–2.

How it works in practice

  • Multi‑source discovery: cloud connectors (AWS/GCP/Azure), network discovery, endpoint agents, SaaS APIs (ServiceNow, Salesforce, M365, Workday…), procurement/contracts and application MDM imports.
  • Service‑oriented CMDB model: services mapped to components (microservices, DBs, VMs, buckets), flows (APIs/interconnects), data (GDPR categories), third parties (providers/CSPs), with DORA artefacts attached (provider identity, contract reference, hosting country, sub‑processor chain, exit clauses, RTO/RPO, incident notification channels).
  • Automated controls: detect shadow IT/undeclared SaaS, risky OAuth integrations, extra‑EU data locations, contracts nearing end without exit plan, and non‑assessed vendors.
  • Compliant outputs: generate the DORA register (ESA schema) and NIS 2 views (asset management plan, criticality/dependencies).

Why it’s tougher in 2026: reinforced CSSF validations increase rejection risk for incomplete/inconsistent data (source).

How Luxgap delivers

  • ISO 27001 governance: service catalog and CMDB modeling, taxonomy (assets, owners, data, contracts), update/quality procedures (RACI, KPIs).
  • Outsourced DPO and CISO: personal‑data mapping, legal bases/transfers, DPA and DORA clause linkage to produce the register without rework. Explore our outsourced CISO leadership.
  • Managed SOC (option): API/OAuth and SaaS/Cloud configuration logs to detect shadow IT and risky integrations; automated reconciliation into the CMDB. See our managed SOC and incident detection offering.

Practical steps:

  1. Select the platform (ServiceNow/open‑source CMDB/CSPM with inventory).
  2. Deploy connectors and import contracts/DPAs.
  3. Model services and generate first DORA/NIS 2 exports.
  4. Industrialize data quality (rules, gap reports).
  5. Test register regeneration before CSSF submission.

Use case

For a Luxembourg payment institution (120+ services incl. 35 SaaS), in six weeks we: connected sources, imported contracts/DPAs; found 17 forgotten OAuth integrations (4 with elevated scopes) and 3 tier‑2 sub‑processors outside the EU lacking exit clauses; produced a compliant ESA‑format register and a prioritized remediation plan. Outcome: submission validated without rejection and a stronger posture for NIS 2 controls.

First steps

  • List target inventory sources: clouds, IdP, EDR/XDR, MDM, procurement/contracts, key SaaS APIs.
  • Run a shadow‑IT quick scan: OAuth apps linked to IdP and SaaS suites; flag those lacking owners or DPAs.
  • Define the one‑page CMDB minimal model for DORA: service, components, data, provider, location, sub‑processors, key clauses, escalation/notification contacts.
  • Automate a pilot “DORA register” export and validate against ESA/CSSF rules; fix data‑quality gaps.
  • Plan a quarterly DPO/CISO/Procurement review to maintain the inventory, reassess OAuth integrations, and simulate a supplier‑incident notification.

Official sources

Need support to structure your register and the underlying inventory? Reach out via Luxgap.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →