The classic trap
Circular 25/883 entered into force immediately on 9 April 2025 and reshapes outsourcing rules into four parallel regimes depending on whether you are a DORA entity, a non-DORA entity, a withdrawn entity, or a UCITS management company under article 125-1. The CSSF sanctions entities still applying the pre-25/883 version of Circular 22/806, those duplicating cloud contractual clauses now covered by DORA (EEA applicable law, EEA resilience), or those that have not updated their outsourcing register to separate ICT contracts under DORA from other outsourcings still under 22/806. The trap is silent: no transition period, no compliance deadline, the circular applies from publication.
The 4-regime mapping to master immediately
- DORA entities (credit institutions, PFS, payment and e-money institutions, fund managers, CCPs, CSDs, market operators, critical benchmark administrators): ICT outsourcing under DORA + delegated regulations, non-ICT outsourcing remains under 22/806.
- Non-DORA entities: full 22/806 regime including ICT outsourcing.
- Withdrawn entities: specific transitional regime.
- UCITS management companies article 125-1: partial application of 22/806.
- CSSF 25/882 must be read together and details ICT third-party requirements for DORA entities.
- The outsourcing register must be split into two streams: DORA register (article 28 of the Regulation) and 22/806 register (non-ICT outsourcings).
The 9 April test: are you already in breach?
If your outsourcing policy predates 9 April 2025 and does not reference DORA, if your cloud contractual clauses still contain the EEA requirements that have been removed, or if your register does not separate DORA ICT contracts from other outsourcings: you are de facto non-compliant and exposed in case of a CSSF inspection or a major ICT incident to be reported under DORA.
How Luxgap automates this risk
Our Luxgap DORA Regime Router eliminates the confusion between the four outsourcing regimes introduced by 25/883 by automatically classifying each of your supplier contracts into the correct regulatory lane (DORA, residual 22/806, 25/882) and generating the appropriate contractual clauses. The tool pulls your contracts continuously from Odoo, DocuSign, SharePoint or your DMS, cross-references the metadata with your CSSF status (bank, PFS, PI, fund manager, CSD) and a dedicated LLM agent reads each contract to determine whether it qualifies as an ICT service under DORA article 3(21) or as non-ICT outsourcing still under 22/806.
- Automatically classifies each supplier contract into one of the four 25/883 regimes (DORA entity / non-DORA / withdrawn / 125-1 management company) by combining your CSSF authorisation and the nature of the service.
- Detects obsolete clauses removed by 25/883 (EEA applicable law, EEA cloud resilience) still present in your contracts and proposes the amendments needed for compliance.
- Automatically generates the DORA register of information compliant with Delegated Regulation (EU) 2024/1773 and the residual 22/806 outsourcing register as separate streams.
- Alerts in real time via Teams or email as soon as a new contract signed in DocuSign falls under DORA and requires the 14 mandatory clauses of article 30.
- Calculates a criticality score per contract (critical or important function within the meaning of DORA article 3(22)) to prioritise your remediation efforts.
- Produces a cryptographically sealed timestamped PDF report, enforceable before the CSSF during an on-site inspection or formal information request.
Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your regulatory perimeter. Request a personalised quote and our teams will prepare a demonstration on your actual contract portfolio, with a free 48-hour blind audit to measure your 25/883 exposure before any engagement.
