I need to bring my Luxembourg organisation into compliance with recital 22 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 22 records a blunt finding: before DORA, each European financial authority had its own ICT incident reporting thresholds and taxonomies. For a Luxembourg financial entity active in France, Germany and Ireland, this meant up to four different reporting formats for the same incident. The CSSF now sanctions not the format divergence (DORA harmonises this through associated RTS), but the inability to produce the harmonised classification within the deadlines: initial notification within 4 hours after classification as major, intermediate report and final report. The trap is no longer regulatory, it is operational.Why this recital changes your detection architectureThe legislator's intent is clear: an ICT incident must be classified against a single EU grid (Article 18 criteria and associated RTS: clients impacted, duration, data loss, service criticality, economic impact, reputation, geography). Concretely, this imposes:An internal taxonomy aligned with the ESA taxonomy (root cause categories, incident types, impact dimensions), not your legacy SIEM taxonomy.An automatic scoring engine that evaluates each incident in real time against the 7 DORA classification criteria, because 4 hours do not leave time for a crisis committee to deliberate.A cryptographic traceability of the classification decision: why this incident was deemed major (or not), with timestamp enforceable before the CSSF.An output format ready to inject into the future single notification hub the ESAs are building, avoiding double entry.How Luxgap automates this riskOur Luxgap Incident Severity Classifier turns ICT incident classification from a subjective crisis-committee exercise into an automatic timestamped verdict produced in under 60 seconds after event detection. The tool ingests alerts from your SIEM (Microsoft Sentinel, Splunk, Wazuh, CrowdStrike Falcon), cross-references them with your business criticality mapping from the DORA Information Register and applies in real time the 7 classification criteria of the ESA RTS to deliver a major / non-major score enforceable before the CSSF.Detects every ICT incident via native connectors to Sentinel, Defender XDR, Splunk, CrowdStrike, Wazuh and syslog feeds from your critical ICT providers.Classifies automatically against the 7 dimensions of the DORA RTS (clients affected, duration, data loss, criticality, economic impact, reputation, geography) with a grid aligned to the ENISA and ESA taxonomy.Triggers the 4-hour countdown as soon as an incident tips into major and alerts the CISO, DPO and management board via Teams, email and SMS simultaneously.Generates automatically the three DORA reports (initial, intermediate, final) pre-filled in the XBRL/JSON format expected by the CSSF, with mandatory fields verified.Produces a timestamped cryptographic proof of the decision chain (who classified, when, on which criteria, with what score) enforceable in a CSSF review.Tracks the regulatory deadline in real time and a...

Recital 22 DORA — Recital 22

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 22

Digital Operational Resilience Act · UE 2022/2554

(22)

ICT-related incident reporting thresholds and taxonomies vary significantly at national level. While common ground may be achieved through the relevant work undertaken by the European Union Agency for Cybersecurity (ENISA) established by Regulation (EU) 2019/881 of the European Parliament and of the Council (11) and the Cooperation Group under Directive (EU) 2022/2555, divergent approaches on setting the thresholds and use of taxonomies still exist, or can emerge, for the remainder of financial entities. Due to those divergences, there are multiple requirements that financial entities must comply with, especially when operating across several Member States and when part of a financial group. Moreover, such divergences have the potential to hinder the creation of further uniform or centralised Union mechanisms that speed up the reporting process and support a quick and smooth exchange of information between competent authorities, which is crucial for addressing ICT risk in the event of large-scale attacks with potentially systemic consequences.

Luxembourg specificity

Circulaire CSSF 24/847 du 5 aout 2024 relative au cadre de notification des incidents TIC

In Luxembourg, the CSSF is the competent authority for receiving major ICT incident notifications under DORA. The CSSF Circular 24/847 specifies the transmission channel (eDesk portal) and requires alignment with existing reports under CSSF Circular 20/750 on ICT risk management requirements for the financial sector. Entities must demonstrate that DORA notification does not duplicate but replaces the former fragmented channels.

Luxgap practice: configure the CSSF eDesk connector in the Incident Severity Classifier from DORA go-live and test the full flow on a fictitious incident in pre-production before the first real incident.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 22 records a blunt finding: before DORA, each European financial authority had its own ICT incident reporting thresholds and taxonomies. For a Luxembourg financial entity active in France, Germany and Ireland, this meant up to four different reporting formats for the same incident. The CSSF now sanctions not the format divergence (DORA harmonises this through associated RTS), but the inability to produce the harmonised classification within the deadlines: initial notification within 4 hours after classification as major, intermediate report and final report. The trap is no longer regulatory, it is operational.

Why this recital changes your detection architecture

The legislator's intent is clear: an ICT incident must be classified against a single EU grid (Article 18 criteria and associated RTS: clients impacted, duration, data loss, service criticality, economic impact, reputation, geography). Concretely, this imposes:

An internal taxonomy aligned with the ESA taxonomy (root cause categories, incident types, impact dimensions), not your legacy SIEM taxonomy.
An automatic scoring engine that evaluates each incident in real time against the 7 DORA classification criteria, because 4 hours do not leave time for a crisis committee to deliberate.
A cryptographic traceability of the classification decision: why this incident was deemed major (or not), with timestamp enforceable before the CSSF.
An output format ready to inject into the future single notification hub the ESAs are building, avoiding double entry.

How Luxgap automates this risk

Our Luxgap Incident Severity Classifier turns ICT incident classification from a subjective crisis-committee exercise into an automatic timestamped verdict produced in under 60 seconds after event detection. The tool ingests alerts from your SIEM (Microsoft Sentinel, Splunk, Wazuh, CrowdStrike Falcon), cross-references them with your business criticality mapping from the DORA Information Register and applies in real time the 7 classification criteria of the ESA RTS to deliver a major / non-major score enforceable before the CSSF.

Detects every ICT incident via native connectors to Sentinel, Defender XDR, Splunk, CrowdStrike, Wazuh and syslog feeds from your critical ICT providers.
Classifies automatically against the 7 dimensions of the DORA RTS (clients affected, duration, data loss, criticality, economic impact, reputation, geography) with a grid aligned to the ENISA and ESA taxonomy.
Triggers the 4-hour countdown as soon as an incident tips into major and alerts the CISO, DPO and management board via Teams, email and SMS simultaneously.
Generates automatically the three DORA reports (initial, intermediate, final) pre-filled in the XBRL/JSON format expected by the CSSF, with mandatory fields verified.
Produces a timestamped cryptographic proof of the decision chain (who classified, when, on which criteria, with what score) enforceable in a CSSF review.
Tracks the regulatory deadline in real time and alerts 30 minutes before each cutoff to avoid breaching reporting windows.

Available as a complement to a Luxgap CISO mandate or as a standalone SaaS module depending on your perimeter. Request a tailored quote and our teams prepare a demonstration on a real incident replayed from your logs, with a free 48-hour white audit to measure your current capacity to meet the 4-hour regulatory window.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 22

They trust us

Before we chat