The classic trap
Article 44 targets the ESAs (EBA, ESMA, EIOPA), not financial entities directly: it organises cooperation between European supervisors and third-country authorities on ICT third-party risk. The trap, for a CSSF-regulated fintech or a Luxembourg private bank, is to assume the article is irrelevant. In reality, it signals a supervisory direction: the best practices exchanged on incident responses and ICT risk management controls flow back through the RTS and CSSF expectations. What authorities ultimately sanction is not cooperation itself, but the gap between your ICT providers established outside the EU and your ability to demonstrate control over cross-border risk (data location, cascading subcontracting to the US, absence of cooperation clauses with supervisors).
Why this article concretely impacts your non-EU ICT chain
The international cooperation in Article 44 addresses a precise blind spot: third-party ICT providers located or operating outside the Union. Here are the operational checkpoints the CSSF expects you to master in your register of information:
- Identify every ICT provider whose hosting, support or subcontracting takes place in a third country (US cloud, offshore support, non-EU data centre).
- Document the effective location of processing and storage, at both the subcontractor AND the sub-subcontractor level.
- Verify the presence of access and cooperation clauses allowing competent authorities to exercise their rights, in line with delegated regulation 2025/532 on ICT subcontracting.
- Articulate DORA compliance with the GDPR for any non-EU transfer (Schrems II, Data Privacy Framework 2023, transfer impact assessment).
- Trace critical or important functions dependent on a third-country provider, exposed to geographic concentration risk.
CSSF circular 25/882 on third-party ICT services details these expectations for the Luxembourg scope.
How Luxgap automates this risk
Our Luxgap Cross-Border Dependency Mapper makes visible in real time the share of your ICT chain that runs outside the EU, where static registers lie by omission. The tool queries your Microsoft Defender for Cloud Apps, Azure Resource Graph, AWS Cost Explorer consoles and your Odoo contracts to geolocate every flow and dependency, then cross-checks them against the requirements of delegated regulation 2025/532 and CSSF circular 25/882.
- Automatically detects every ICT provider whose hosting, support or subcontracting occurs in a third country, based on the real cloud regions read via the Azure and AWS APIs.
- Maps the full chain of sub-subcontractors and flags transparency breaks toward non-EU jurisdictions (M365 to Azure US, SaaS to AWS us-east-1).
- Verifies the presence of the authority access and cooperation clauses required by delegated regulation 2025/532 in each connected contract.
- Calculates a geographic concentration score per critical or important function and alerts on single-jurisdiction dependencies.
- Generates the GDPR transfer impact assessment tied to each non-EU flow, with a reminder of the recipient's Data Privacy Framework status.
- Produces a timestamped PDF report enforceable before the CSSF, demonstrating the cross-border ICT risk control required by Chapter V of DORA.
Available as a complement to a Luxgap CISO or DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real perimeter, with a free blind audit within 48h to measure your non-EU exposure before any commitment.