The classic trap
Article 64 sets a hard deadline: DORA has applied since 17 January 2025, with no grace period and no soft transition. The trap the CSSF sanctions is not ignorance of the text, but the belief that a Luxembourg financial entity could wait for a national transposition before aligning. As a directly applicable regulation, DORA required no national measure: by 17 January 2025, banks, CSSF-regulated fintechs, PSF, AIFM managers and insurers had to already operate an ICT risk management framework, a register of information for third-party providers and an incident notification process. The 2025 CSSF inspections focus precisely on the gap between the legal date and actual maturity.
Why the 17 January 2025 date is non-negotiable
Many entities confused DORA's application with the adoption schedule of the RTS. That is a structural mistake.
- The base regulation (ICT governance obligations, register of information, incident management, resilience testing) has applied in full since 17 January 2025, regardless of the technical standards.
- The RTS and ITS (Delegated Regulation 2025/532 on ICT subcontracting, Delegated Regulation 2025/1190 on TLPT testing implemented via TIBER-LU) came to specify, not postpone, obligations already in force.
- CSSF circulars 20/750 (amended by 25/881), 22/806 (amended by 25/883) and 25/882 are aligned with this timetable: they grant no extra delay, they articulate the existing framework with DORA.
- DORA is lex specialis and prevails over NIS 2 for the same financial entities (Art. 1): invoking a softer NIS 2 timeline is not opposable to the CSSF.
- The first submission of the third-party ICT register of information to the CSSF took place in the first quarter of 2025: an incomplete register at that date is a recorded breach, not a tolerated delay.
The penalty can reach 1% of the entity's average daily worldwide turnover, applied per day until compliance is achieved, without prejudice to remedial measures imposed by the CSSF.
How Luxgap automates this risk
Our Luxgap Compliance Countdown turns the 17 January 2025 regulatory wall into a dated, opposable roadmap by automatically reconstructing your DORA compliance level article by article. The tool continuously queries your systems (Active Directory, Microsoft Defender, Azure Sentinel, your GRC, your outsourcing register in Odoo or Sage BOB 50) to measure the real gap between your obligations in force and your observed maturity, with no questionnaire for the CISO to fill in.
- Calculates a compliance score per DORA requirement in force (ICT governance, register of information, incident notification, resilience testing) and flags every obligation already applicable but uncovered.
- Detects third-party ICT providers missing from your register of information by cross-referencing your contracts, payments and access, and prepares the submission format expected by the CSSF.
- Maps the interplay between DORA, CSSF circulars 20/750, 22/806, 25/882 and RTS 2025/532 and 2025/1190 to eliminate duplicates and blind spots.
- Alerts in real time whenever a new critical ICT service goes live without contractual clauses compliant with the subcontracting RTS.
- Produces a timestamped, sealed PDF report, opposable during a CSSF inspection, demonstrating the date on which each obligation was covered.
Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real perimeter, with a free blank audit within 48h to measure your exposure before any engagement.