The classic trap
Article 63 is a coordination provision: it grafts DORA's ICT requirements into the Benchmarks Regulation (EU 2016/1011) for administrators of critical benchmarks. The trap is to assume that these administrators, already regulated under the Benchmarks Regulation, escape DORA or can rely on their existing accounting procedures. The CSSF now expects administrators of critical benchmarks established or authorised in Luxembourg to demonstrate ICT systems management fully aligned with DORA, not merely generic internal control mechanisms. The common mistake: treating ICT robustness as a financial audit topic rather than as a structured ICT risk management framework (governance, asset register, resilience testing, incident reporting).
What this graft means in practice
- Administrators of critical benchmarks fall under DORA's ICT risk management framework (Articles 5 to 16): policy, asset mapping, continuous controls.
- The effective control and safeguard arrangements required by the new Article 6(6) Benchmarks must be read against the DORA RTS (ICT risk management, backups, restoration).
- Major ICT incident reporting to the CSSF follows the DORA channel and thresholds, not a purely Benchmarks logic.
- The register of contractual arrangements with third-party ICT providers (Article 28 DORA) also covers the benchmark production and calculation chain.
- Digital operational resilience testing becomes an obligation, not an optional good practice.
Concretely, an administrator of a critical benchmark must prove traceability between its Benchmarks safeguard arrangements and DORA's technical requirements. It is this articulated, documented dual compliance that the CSSF inspects.
How Luxgap automates this risk
Our Luxgap Benchmark Resilience Mapper makes the compliance gap between the Benchmarks Regulation and DORA impossible: it links each requirement of the new Article 6(6) to the corresponding DORA measure and immediately flags blind spots. The tool connects to your index calculation environments (data pipelines, M365, Azure Sentinel, Microsoft Defender, AWS) to continuously map the ICT systems critical to benchmark production, with no questionnaire to fill in.
- Automatically detects ICT assets involved in calculating and disseminating the critical benchmark by querying your Azure, AWS and Active Directory inventories.
- Cross-references each Benchmarks control and safeguard arrangement with the equivalent DORA requirement (Articles 5 to 16 and the ICT risk management RTS) and marks the gaps.
- Verifies coverage of the benchmark chain's third-party ICT providers in the Article 28 DORA register and alerts on contracts lacking resilience clauses.
- Calculates a digital operational resilience score and schedules the required tests ahead of each CSSF review.
- Produces a timestamped PDF report enforceable before the CSSF, demonstrating articulated compliance with Article 6(6) Benchmarks and DORA.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real scope, with a free blank audit within 48h to measure your exposure before any commitment.