The classic trap
The removal of cloud-specific clauses from Circular 22/806 is not a relaxation: it is a transfer to the DORA regime, which is far more demanding. Luxembourg financial entities still assume their old cloud contracts signed under 22/806 (EEA law, EEA resilience clauses) remain valid. The CSSF already sanctions under Article 30 of DORA any ICT contract that does not contain the eleven mandatory provisions (full service description, processing and storage locations, service levels with quantitative targets, audit rights, exit strategy, cooperation with authorities, etc.). A cloud contract compliant with the old 22/806 version is not automatically compliant with Article 30 DORA.
What disappears, what replaces it, what becomes tougher
- EEA law clause removed from 22/806, but Article 30(2)(a) DORA still requires a clear description of functions and applicable jurisdiction, and Article 28(8) imposes a prior concentration and sovereignty assessment.
- EEA resilience clause removed from 22/806, replaced by Article 30(2)(e) DORA (continuity, recovery, resilience testing) and TLPT obligations for significant entities.
- Register of ICT contractual arrangements (Article 28(3) DORA) becomes mandatory and must be submitted annually to the CSSF in the dedicated ITS format: this is a new reporting obligation absent from 22/806.
- Critical Third-Party Providers (CTPP): for Microsoft Azure, AWS and Google Cloud designated as critical at EU level, additional direct ESA oversight requirements apply.
- Contracts signed before 17 January 2025 must be reviewed and brought into Article 30 DORA compliance, with no general grace period.
The 22/806 / DORA / 25/882 coexistence trap
Circular 25/883 creates four application cases (DORA entities, non-DORA entities, withdrawn entities, management companies under Article 125-1 UCITS). A management company that thought it depended solely on 22/806 may fall within the DORA scope depending on its activities, and its cloud contracts must then be realigned. CSSF 25/882 details the third-party ICT regime for DORA entities: it must be read jointly, otherwise cross-non-compliance arises.
How Luxgap automates this risk
Our Luxgap DORA Contract Realigner automatically re-audits your ICT contract inventory to detect, clause by clause, the gaps between your old 22/806 contracts and Article 30 DORA requirements. The AI agent ingests your signed cloud contracts (PDF, DocuSign, Ironclad, M-Files, SharePoint Legal), maps them against the eleven mandatory DORA provisions and outputs a compliance matrix opposable to the CSSF, without any manual entry by your legal team.
- Automatically extracts existing cloud clauses from your CSP contracts (Azure, AWS, GCP, OVHcloud, eBRC, LuxConnect, POST Telecom) and maps them onto the eleven Article 30 DORA requirements.
- Identifies orphan contracts still drafted under the old 22/806 regime (EEA law, EEA resilience) that must be amended before the next CSSF inspection.
- Automatically generates DORA-compliant pre-drafted addenda, broken down by typology (hyperscaler CSP, Luxembourg regional CSP, business SaaS, non-critical ICT subcontractor).
- Feeds in real time the register of ICT contractual arrangements in the ITS format expected by the CSSF, ready for annual submission.
- Classifies each provider as critical / non-critical function according to Article 28(2) DORA criteria and triggers the mandatory prior assessment workflow.
- Produces a timestamped, cryptographically sealed PDF report, opposable during a CSSF inspection, demonstrating contract inventory realignment as of 17 January 2025.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real contract portfolio, with a free 48-hour gap audit to measure your Article 30 DORA exposure before any commitment.
