I need to bring my Luxembourg organisation into compliance with recital 29 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 29 explains why DORA creates an autonomous ICT contractual regime, distinct from the sectoral outsourcing framework (EBA Guidelines, CSSF Circular 22/806, EIOPA Guidelines). In practice, the CSSF sanctions financial entities that simply rely on pre-2025 cloud outsourcing contracts: those agreements lack the core contractual rights of DORA article 30, particularly on audits, termination, location and cooperation with authorities. The trap is to assume that compliance with Circular 22/806 is enough: DORA adds a supplementary layer that must be embedded in every arrangement, even with non-critical providers.How to read this recital to anticipate articles 28 to 30Recital 29 sets three interpretive principles that illuminate the whole of DORA section V:Speciality principle: DORA rules add to sectoral law (CSSF Circular 22/806, EBA Outsourcing Guidelines) and do not replace it. Both corpora must be cumulated in every contract.Reinforced proportionality: core contractual rights apply to ALL ICT providers, but the enhanced regime of article 30(3) only targets critical or important functions.Minimum enforceable safeguards: key rights (audit, access, termination, transition, location, cooperation with authorities) are non-negotiable minimums, even against a hyperscaler. A contractual clause excluding them is unenforceable against the CSSF.Qualification mechanics: classifying a function as critical or important (DORA article 8(4), aligned with Circular 22/806) determines the scope of the enhanced mandatory clauses.Articulation with classic outsourcing: the same cloud contract can simultaneously be an outsourcing arrangement under Circular 22/806 and an ICT arrangement under DORA, triggering a dual regime.How Luxgap automates this riskOur Luxgap DORA Contract Intelligence turns your ICT contract portfolio into a living register directly enforceable before the CSSF, eliminating the blind spot between Circular 22/806 and DORA articles 28 to 30. The tool ingests your contracts from SharePoint, DocuSign, Ironclad or your internal document management system, and a specialised LLM agent reads each clause to map coverage of the 15 core contractual rights required by DORA, cross-referencing with your existing CSSF outsourcing register.Automatically detects every new ICT contract upon signature in DocuSign or Ironclad and links it to the DORA article 28(3) register of information, without manual intervention from the CISO.Identifies missing clauses one by one (audit, termination, location, sub-contracting, CSSF cooperation, exit strategies) with citation of the relevant DORA paragraph and Circular 22/806 paragraph.Classifies each provider depending on whether it supports a critical or important function by cross-referencing the business mapping, the Defender application inventory and Sage BOB 50 financial flows, then applies the correct contractual regime.Generates pre-drafted addenda aligned with the European Commission RTS to close each g...

Recital 29 DORA — Recital 29

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 29

Digital Operational Resilience Act · UE 2022/2554

(29)

Even though Union financial services law contains certain general rules on outsourcing, monitoring of the contractual dimension is not fully anchored into Union law. In the absence of clear and bespoke Union standards applying to the contractual arrangements concluded with ICT third-party service providers, the external source of ICT risk is not comprehensively addressed. Consequently, it is necessary to set out certain key principles to guide financial entities’ management of ICT third-party risk, which are of particular importance when financial entities resort to ICT third-party service providers to support their critical or important functions. Those principles should be accompanied by a set of core contractual rights in relation to several elements in the performance and termination of contractual arrangements with a view to providing certain minimum safeguards in order to strengthen financial entities’ ability to effectively monitor all ICT risk emerging at the level of third-party service providers. Those principles are complementary to the sectoral law applicable to outsourcing.

Luxembourg specificity

Circulaire CSSF 22/806 relative aux arrangements d'externalisation, lue avec le Reglement (UE) 2022/2554 (DORA)

In Luxembourg, the CSSF cumulates two distinct frameworks for financial entities: CSSF Circular 22/806 on outsourcing arrangements (transposing EBA/GL/2019/02 and EIOPA-BoS-20/002 guidelines) and the DORA regulation directly applicable since 17 January 2025. The CSSF clarified in its 18 December 2024 communication that entities must maintain their cloud outsourcing prior notification under Circular 22/806 AND keep the DORA article 28(3) register of information, with no substitution between the two.

Luxgap practice: for each cloud contract, produce a single sheet that ticks both grids (Circular 22/806 and DORA), with clause-by-clause correspondence; this is the only way to respond in one iteration to CSSF thematic reviews.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 29 explains why DORA creates an autonomous ICT contractual regime, distinct from the sectoral outsourcing framework (EBA Guidelines, CSSF Circular 22/806, EIOPA Guidelines). In practice, the CSSF sanctions financial entities that simply rely on pre-2025 cloud outsourcing contracts: those agreements lack the core contractual rights of DORA article 30, particularly on audits, termination, location and cooperation with authorities. The trap is to assume that compliance with Circular 22/806 is enough: DORA adds a supplementary layer that must be embedded in every arrangement, even with non-critical providers.

How to read this recital to anticipate articles 28 to 30

Recital 29 sets three interpretive principles that illuminate the whole of DORA section V:

Speciality principle: DORA rules add to sectoral law (CSSF Circular 22/806, EBA Outsourcing Guidelines) and do not replace it. Both corpora must be cumulated in every contract.
Reinforced proportionality: core contractual rights apply to ALL ICT providers, but the enhanced regime of article 30(3) only targets critical or important functions.
Minimum enforceable safeguards: key rights (audit, access, termination, transition, location, cooperation with authorities) are non-negotiable minimums, even against a hyperscaler. A contractual clause excluding them is unenforceable against the CSSF.
Qualification mechanics: classifying a function as critical or important (DORA article 8(4), aligned with Circular 22/806) determines the scope of the enhanced mandatory clauses.
Articulation with classic outsourcing: the same cloud contract can simultaneously be an outsourcing arrangement under Circular 22/806 and an ICT arrangement under DORA, triggering a dual regime.

How Luxgap automates this risk

Our Luxgap DORA Contract Intelligence turns your ICT contract portfolio into a living register directly enforceable before the CSSF, eliminating the blind spot between Circular 22/806 and DORA articles 28 to 30. The tool ingests your contracts from SharePoint, DocuSign, Ironclad or your internal document management system, and a specialised LLM agent reads each clause to map coverage of the 15 core contractual rights required by DORA, cross-referencing with your existing CSSF outsourcing register.

Automatically detects every new ICT contract upon signature in DocuSign or Ironclad and links it to the DORA article 28(3) register of information, without manual intervention from the CISO.
Identifies missing clauses one by one (audit, termination, location, sub-contracting, CSSF cooperation, exit strategies) with citation of the relevant DORA paragraph and Circular 22/806 paragraph.
Classifies each provider depending on whether it supports a critical or important function by cross-referencing the business mapping, the Defender application inventory and Sage BOB 50 financial flows, then applies the correct contractual regime.
Generates pre-drafted addenda aligned with the European Commission RTS to close each gap, ready to be sent to the provider.
Alerts in real time via Teams when an existing contract is amended by a provider and a DORA clause disappears or is weakened.
Produces the complete register of information in the RTS Annex format, exportable directly to the CSSF within the annual reporting window.

Available alongside a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real contracts, with a free 48-hour blind audit to measure the DORA coverage rate of your current portfolio.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 29

They trust us

Before we chat