How to comply with article M.1 of CSSF 25/883?

Question

I need to bring my Luxembourg organisation into compliance with article M.1 of CSSF 25/883 (CSSF 25/883). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapThe amendment to the 22/806 introduction looks cosmetic, it is not. Luxembourg financial entities (banks, PFS, funds, fintechs) must now map every outsourcing contract along two axes: ICT or non-ICT nature, and entity within or outside the DORA scope. The CSSF sanctions, during its SREP reviews and on-site inspections, firms that still apply 22/806 to an ICT contract where DORA prevails, or conversely invoke DORA for a non-ICT contract that remains under 22/806.The 22/806 / DORA articulation matrix in practiceDORA entity + ICT contract: DORA applies (article 28 register of information, resilience testing, article 30 contractual clauses), 22/806 no longer applies to this contract.DORA entity + non-ICT contract (legal services, consulting, HR, critical cleaning): 22/806 remains fully applicable.Entity outside DORA (certain specialised PFS, article 125-1 UCITS management companies in the relevant cases): 22/806 remains the basis for both ICT and non-ICT.Mixed contract risk: a contract bundling HR services with a critical HR SaaS component must be split or attached to the stricter regime.Prior CSSF notification: the different thresholds and timelines between 22/806 (ex ante notification for critical or important outsourcing) and DORA (register of information, notification of critical or important functions) must be tracked contract by contract.How Luxgap automates this riskOur Luxgap DORA Boundary Mapper makes qualification errors between 22/806 and DORA impossible by automatically analysing every outsourcing contract in your portfolio and assigning each one a single defensible regime. A specialised LLM agent reads your contracts stored in SharePoint, Odoo Contracts, DocuSign or iManage, cross-references the EBA ICT taxonomy and the functional definition in DORA article 3(21), then produces a timestamped qualification matrix ready for CSSF inspection.Scans your entire contractual portfolio (SharePoint, DocuSign, Odoo, iManage, Ironclad) and qualifies each contract as critical ICT, non-critical ICT, or non-ICT according to the DORA grid and circular 22/806.Automatically determines your DORA entity status by cross-referencing your NACE code, your CSSF licence and the article 2 exclusions of the DORA Regulation.Detects mixed contracts (ICT + non-ICT) and proposes either a contractual split strategy or attachment to the stricter regime.Automatically generates the DORA article 28 register of information from qualified ICT contracts, in the EBA ITS format expected by the CSSF.Sends real-time Teams or email alerts as soon as a newly signed contract in DocuSign falls outside the existing qualification framework and requires arbitration.Produces a cryptographically sealed timestamped PDF report, defensible during CSSF inspection, documenting each contract's qualification with its regulatory justification.Available as part of a Luxgap CISO or DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our ...

Amendment 1, introduction of 22/806 reworded to reflect DORA

They trust us

Before we chat