The classic trap
Article 1 sets the scope of DORA and hides a time bomb that is often overlooked: paragraph 2. Many Luxembourg financial entities launched a NIS 2 compliance project and a DORA compliance project in parallel, duplicating workstreams and budgets. Yet DORA is lex specialis: for financial entities identified as essential or important under Directive (EU) 2022/2555, DORA prevails as a sector-specific Union act (Article 4 NIS 2). The CSSF sanctions less the theoretical scope than the operational inconsistency: an entity that applies the wrong framework, that reports to the wrong channel, or that cannot demonstrate which framework applies to each process.
The right-framework test, process by process
The Article 1 trap is not binary. A single entity may fall under DORA for its financial systems while retaining other residual obligations. Before any project, you must settle:
- Are you a financial entity within the meaning of Article 2 (credit institution, investment firm, EMI, payment institution, AIFM, UCITS, insurer, intermediary)? If so, DORA applies as of right.
- Are you also identified as an essential or important entity under the national rules transposing NIS 2? If so, DORA prevails as a sector-specific act and avoids the double application of ICT obligations.
- Are your six pillars covered: ICT risk management, major incident reporting, resilience testing, ICT third-party risk, contractual arrangements, information sharing?
- Are your CSSF circulars (20/750 amended by 25/881, 22/806 amended by 25/883, 25/882) re-read in light of DORA rather than alongside it?
- Do you know, for each incident, the correct reporting channel (CSSF) and the correct legal basis (DORA, GDPR for data breaches)?
Without this prevalence mapping, you risk the costly double project or, worse, the blind spot where no framework is properly applied.
How Luxgap automates this risk
Our Luxgap Scope Resolver makes scope errors impossible by automatically determining which framework prevails on each of your business processes. A specialised AI agent reads your CSSF status, your activity register and your systems map to qualify your entity under Article 2 DORA, check any NIS 2 qualification, and apply the prevalence rule of Article 1(2) process by process, without any redundant compliance workstream.
- Automatically qualifies your entity under Article 2 DORA by cross-checking your CSSF authorisation and your regulated activity nomenclature.
- Detects overlaps with NIS 2 and applies the lex specialis rule of Article 1(2) to eliminate duplicate ICT obligations.
- Maps your six DORA pillars and links them to CSSF circulars 20/750, 22/806 and 25/882 already in force in your organisation.
- Generates a timestamped prevalence matrix indicating, for each process, the applicable framework and the competent reporting channel.
- Produces a sealed PDF report, enforceable before the CSSF during an inspection, demonstrating that your compliance scope is defined and justified.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real perimeter, with a free blind audit within 48h to measure your exposure before any commitment.