How to comply with article M.3 of CSSF 25/883?

Question

I need to bring my Luxembourg organisation into compliance with article M.3 of CSSF 25/883 (CSSF 25/883). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Accepted Answer

The classic trapThe four-case restructuring looks straightforward on paper, but in practice CSSF sanctions during thematic inspections entities that misclassify themselves. The most frequent trap: a management company managing both UCITS (Article 101-1, within DORA) and AIFs under Article 125-1 (outside DORA), applying the wrong regime to its ICT outsourcing. Another classic trap: a DORA financial entity continuing to apply Part II of 22/806 to legacy ICT contracts, generating contractual clauses incompatible with DORA requirements (notably Articles 28 to 30 of Regulation EU 2022/2554). CSSF expects a written mapping that justifies attaching each outsourcing contract to the correct regime.The qualification test: which case does your entity fall into?Case a (DORA + full 22/806 history): credit institutions, class 1/1bis/2 investment firms, support PSF already subject to 22/806 on any outsourcing. You apply DORA for ICT and Part I of 22/806 for non-ICT (outsourced HR, accounting, real estate management).Case b (outside DORA, full 22/806): CSSF-supervised entities not listed in Article 2 DORA. Explicitly verify your status, as the DORA list is restrictive.Case c (DORA exclusively): entities subject to 22/806 only for their ICT outsourcing. They fall entirely under DORA and leave the scope of 22/806.Case d (Article 125-1 management companies): authorisation limited to Chapter 16 of the UCI Law, outside DORA, therefore 22/806 remains fully applicable including for ICT.Contractual traps to fix immediatelyIdentify ICT contracts signed before 2025 under 22/806 Part II clauses and launch renegotiation to align with Articles 28 to 30 DORA (enhanced audit right, orderly exit, traced sub-outsourcing chain).Distinguish in the contract register between non-ICT contracts (Part I 22/806) and ICT contracts (DORA or Part II depending on the case).Re-verify the qualification of hybrid contracts (e.g. accounting service with SaaS component) that may fall under DORA via the ICT service concept defined in Article 3(21) DORA.How Luxgap automates this riskOur Luxgap DORA Scope Classifier eliminates qualification uncertainty by automatically determining which case (a/b/c/d) applies to your entity and to each of your outsourcing contracts. The tool cross-references your CSSF authorisation (public register), your ICT service portfolio extracted from your vendor contracts (Odoo, DocuWare, SharePoint Legal) and the Article 3(21) DORA grid to produce an opposable decision tree, contract by contract.Classifies each legal entity of the group into one of the four CSSF 25/883 cases by analysing its authorisation (credit institution, PSF, management company 101-1 vs 125-1, AIFM) extracted from the CSSF register.Automatically scans your outsourcing contracts stored in SharePoint, DocuWare or Odoo and qualifies each as ICT (per Article 3(21) DORA) or non-ICT through a specialised LLM agent.Detects high-risk hybrid contracts (business service with undisclosed cloud component) and ...

Amendment 3, scope restructured into four cases (DORA / non-DORA)

They trust us

Before we chat