← All laws

Compliance · CSSF amendment

CSSF 25/883, the amendment aligning 22/806 with DORA.

CSSF Circular 25/883 of 9 April 2025 amends Circular 22/806 to align its requirements with the DORA Régulation (EU 2022/2554), applicable since 17 January 2025. Four structural amendments, immediately applicable, to avoid dual compliance between 22/806 and DORA.

Contact us →
Luxgap explorer
Browse the 5 articles of the law, with Luxgap practical guidance
Browse articles →

Who is concerned?

Same addressees as CSSF 22/806: crédit institutions and PFS (LSF), payment and electronic money institutions (LSP), investment fund managers (CSSF 18/698), UCITS management companies, central counterparties (CCPs), approved publication arrangements (APAs) and approved reporting mechanisms (ARMs), market operators, central securities depositories (CSDs), administrators of critical benchmarks.

Practically, the scope is now divided into four cases, depending on whether the entity is in the DORA scope and on the type of outsourcing (ICT or non-ICT).

Key obligations

  • Amendment 1: 22/806 introduction reworded to reflect entry into application of DORA.
  • Amendment 2: formal définition of DORA Régulation added to Part I Chapter 1.
  • Amendment 3: scope restructured into 4 cases (DORA entities, non-DORA entities, removed entities, Article 125-1 management companies).
  • Amendment 4: removal of cloud-specific contractual clauses (EEA law and EEA résilience), now covered by DORA.
  • Read together with CSSF Circular 25/882 on requirements for using ICT third-party services for financial entities subject to DORA.

Deadlines

CSSF 25/883 has been in force since 9 April 2025, immediate application. The DORA Régulation it aligns with has applied since 17 January 2025. Concerned entities must immediately identify which case (a, b, c or d) they fall under and adapt their outsourcing mapping accordingly.

Sanctions for non-compliance

25/883 does not create specific sanctions: it amends 22/806 whose sanction regime remains applicable (compliance orders, administrative sanctions, restrictions or suspension of authorisation, pecuniary sanctions, withdrawal of authorisation for serious breaches).

However, for ICT requirements transitioning under DORA (cases a and c), DORA sanctions now apply: up to 1% of average daily worldwide turnover for critical ICT third-party providers, with daily fines for failing to comply with injunctions.

How Luxgap helps

We support CSSF entities with 25/883 diagnosis and 22/806 / DORA articulation:

  • Positioning audit: which case (a/b/c/d) are you in? Which part of your outsourcing setup falls under DORA, under 22/806, or both?
  • Outsourcing policy update and provider register to reflect 25/883 amendments and articulation with DORA.
  • Cloud contractual clauses migration: adapting contracts to the DORA framework (Article 28 and mandatory DORA contractual clauses).
  • CSSF inspection préparation integrating 25/883 + DORA + CSSF 25/882.

Let's discuss your situation.

This topic is handled case by case. Get in touch to discuss it: reply within one business day, no commitment.

Contact us →