I need to bring my Luxembourg organisation into compliance with recital 28 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 28 sheds light on what the CSSF actually finds during its inspections: ICT contracts of Luxembourg financial entities are signed as-is, without genuine negotiation of audit rights, access rights or oversight of the subcontracting chain. As a result, during a CSSF inspection under circular 22/806 and now under DORA, the financial entity can neither prove it tried to enforce its rights, nor demonstrate it monitors the subcontracting chain of its hyperscaler. Recital 28 provides the interpretive basis for articles 28 to 30 of DORA and justifies a strict reading of the contractual obligation.What this recital concretely changes in your ICT contractsMarket standard contracts (AWS, Azure, M365, Salesforce as-is) are no longer a defence vis-a-vis the CSSF: you must document your written requests for amendment and the provider's refusals.Audit rights must be operational, not just contractual: without an audit plan, a reserved audit window, an up-to-date SOC 2 type II report, the right does not exist in the regulator's view.Subcontracting oversight must be active: register of your ICT provider's sub-processors, prior notification of changes, materialised right of objection.Standardised services (public cloud, mass SaaS) require a documented analysis showing the service meets your specific prudential requirements, or otherwise the compensating mitigations in place.The ability to assess associated risks must be traced and refreshed: a one-off risk assessment at signature is no longer sufficient.How Luxgap automates this riskOur Luxgap Contract Leverage Scanner transforms the chore of ICT contract review into evidence opposable to the CSSF within 48 hours. The tool ingests your ICT contracts (PDF, DocuSign, Ironclad, M365 SharePoint) via a DORA-specialised LLM agent that automatically detects the 47 clauses required by articles 28 to 30 and compares them to your real exposure measured in Microsoft Defender for Cloud Apps, AWS Config and Azure Resource Graph.Automatically detects missing or weakened clauses (audit rights, subcontracting, exit strategy, data localisation, incident SLA) in each signed ICT contract.Classifies each provider based on the critical or important nature of the function supported, in accordance with the criteria of article 28(2) of DORA.Generates a pre-drafted renegotiation letter, citing the applicable DORA recital and article, ready to be sent to the provider with traced acknowledgment of receipt.Scans the actual subcontracting chain by querying transparency portals (AWS Sub-processors, Microsoft OST, Salesforce Trust) and alerts on Teams or Slack as soon as a new subcontractor is added.Produces a timestamped, cryptographically sealed PDF dossier demonstrating to the CSSF that you have exercised your contractual rights and maintained your article 28(3) information register.Available as a complement to a Luxgap CISO or DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quot...

Recital 28 DORA — Recital 28

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 28

Digital Operational Resilience Act · UE 2022/2554

(28)

The extensive use of ICT services is evidenced by complex contractual arrangements, whereby financial entities often encounter difficulties in negotiating contractual terms that are tailored to the prudential standards or other regulatory requirements to which they are subject, or otherwise in enforcing specific rights, such as access or audit rights, even when the latter are enshrined in their contractual arrangements. Moreover, many of those contractual arrangements do not provide for sufficient safeguards allowing for the fully-fledged monitoring of subcontracting processes, thus depriving the financial entity of its ability to assess the associated risks. In addition, as ICT third-party service providers often provide standardised services to different types of clients, such contractual arrangements do not always cater adequately for the individual or specific needs of financial industry actors.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2024 portant mise en oeuvre du reglement (UE) 2022/2554 et circulaire CSSF 22/806

In Luxembourg, the CSSF anticipated DORA via CSSF circular 22/806 on outsourcing arrangements, which remains applicable and cumulates with DORA since 17 January 2025. The CSSF notably requires prior notification for any critical ICT outsourcing and maintains the register of designated providers. The law of 1 August 2024 implementing DORA designates the CSSF and the CAA as competent authorities depending on the sector (banks, PFS, insurance).

Luxgap practice: if you are a Luxembourg fintech or PFS, your DORA article 28(3) information register must be maintained in parallel with the CSSF 22/806 outsourcing dashboard and reconciled quarterly, otherwise you face dual sanctions.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 28 sheds light on what the CSSF actually finds during its inspections: ICT contracts of Luxembourg financial entities are signed as-is, without genuine negotiation of audit rights, access rights or oversight of the subcontracting chain. As a result, during a CSSF inspection under circular 22/806 and now under DORA, the financial entity can neither prove it tried to enforce its rights, nor demonstrate it monitors the subcontracting chain of its hyperscaler. Recital 28 provides the interpretive basis for articles 28 to 30 of DORA and justifies a strict reading of the contractual obligation.

What this recital concretely changes in your ICT contracts

Market standard contracts (AWS, Azure, M365, Salesforce as-is) are no longer a defence vis-a-vis the CSSF: you must document your written requests for amendment and the provider's refusals.
Audit rights must be operational, not just contractual: without an audit plan, a reserved audit window, an up-to-date SOC 2 type II report, the right does not exist in the regulator's view.
Subcontracting oversight must be active: register of your ICT provider's sub-processors, prior notification of changes, materialised right of objection.
Standardised services (public cloud, mass SaaS) require a documented analysis showing the service meets your specific prudential requirements, or otherwise the compensating mitigations in place.
The ability to assess associated risks must be traced and refreshed: a one-off risk assessment at signature is no longer sufficient.

How Luxgap automates this risk

Our Luxgap Contract Leverage Scanner transforms the chore of ICT contract review into evidence opposable to the CSSF within 48 hours. The tool ingests your ICT contracts (PDF, DocuSign, Ironclad, M365 SharePoint) via a DORA-specialised LLM agent that automatically detects the 47 clauses required by articles 28 to 30 and compares them to your real exposure measured in Microsoft Defender for Cloud Apps, AWS Config and Azure Resource Graph.

Automatically detects missing or weakened clauses (audit rights, subcontracting, exit strategy, data localisation, incident SLA) in each signed ICT contract.
Classifies each provider based on the critical or important nature of the function supported, in accordance with the criteria of article 28(2) of DORA.
Generates a pre-drafted renegotiation letter, citing the applicable DORA recital and article, ready to be sent to the provider with traced acknowledgment of receipt.
Scans the actual subcontracting chain by querying transparency portals (AWS Sub-processors, Microsoft OST, Salesforce Trust) and alerts on Teams or Slack as soon as a new subcontractor is added.
Produces a timestamped, cryptographically sealed PDF dossier demonstrating to the CSSF that you have exercised your contractual rights and maintained your article 28(3) information register.

Available as a complement to a Luxgap CISO or DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real ICT contracts, with a free blank audit within 48 hours to measure your contractual exposure before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 28

They trust us

Before we chat