I need to bring my Luxembourg organisation into compliance with recital 35 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 35 DORA — Recital 35

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 35

Digital Operational Resilience Act · UE 2022/2554

(35)

In order to maintain a high level of digital operational resilience for the whole financial sector, and at the same time to keep pace with technological developments, this Regulation should address risk stemming from all types of ICT services. To that end, the definition of ICT services in the context of this Regulation should be understood in a broad manner, encompassing digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis. That definition should, for instance, include so called ‘over the top’ services, which fall within the category of electronic communications services. It should exclude only the limited category of traditional analogue telephone services qualifying as Public Switched Telephone Network (PSTN) services, landline services, Plain Old Telephone Service (POTS), or fixed-line telephone services.

Luxembourg specificity

loi luxembourgeoise du 1er juin 2023 portant mise en oeuvre du reglement (UE) 2022/2554 (DORA) et circulaire CSSF 24/847

In Luxembourg, the CSSF is the DORA competent authority for supervised financial entities and has published CSSF circular 24/847 on ICT incident reporting, which aligns with the broad ICT services definition in recital 35. The law of 1 June 2023 implementing the DORA regulation confirms that any failure of an ICT service, including OTT and encrypted messaging used by front office teams, may trigger the major incident notification obligation within 4 hours to the CSSF.

Luxgap practice: start with an exhaustive inventory of over-the-top services (Teams, WhatsApp Business, Signal) used by your traders and relationship managers; this is the CSSF's first angle of scrutiny during 2025 DORA inspections.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

This recital massively broadens the DORA perimeter: any digital or data service provided on an ongoing basis through ICT systems falls within scope, including over-the-top services (Teams, Slack, WhatsApp Business, Zoom). In practice, the CSSF sanctions financial entities that have mapped only their classic cloud vendors while forgetting these digital communication channels, market data APIs, encrypted messaging used by traders, or niche business SaaS. Only traditional analogue telephony (PSTN, POTS, landline) is excluded: everything else must appear in your article 28(3) register of information.

What this broad definition concretely changes

Over-the-top services (Teams, Webex, Slack, Signal Business) are DORA ICT services: they must be in the register and risk-assessed.
Market data feeds (Bloomberg, Refinitiv, ICE) are DORA ICT services, not mere documentary subscriptions.
API services (KYC, sanctions screening, credit scoring, ESG data) are DORA ICT services even when billed per transaction.
E-signature, e-KYC and video-identification platforms are included, even when used occasionally.
Only pure analogue telephone services (POTS, PSTN, classic landline) are excluded. VoIP, SIP, M365 integrated softphone are IN.
The common mistake: excluding freemium or individual tools (Notion, Miro, Calendly) adopted without formal procurement. They are shadow IT and remain DORA ICT services.

How Luxgap automates this risk

Our Luxgap ICT Service Discovery makes it impossible to forget an ICT service in your DORA register: the tool continuously discovers every digital service used in your financial entity, including over-the-top and shadow IT, and automatically reconciles this discovery with your CSSF register of information. The agent cross-references your Microsoft Defender for Cloud Apps logs, outbound DNS flows from your SD-WAN, accounting transactions from Sage BOB 50 or SAP, Azure AD OAuth connectors and Netskope CASB flows to surface your entire ICT footprint.

Automatically detects each new ICT service as soon as a user authenticates, an invoice is paid or an outbound DNS flow appears, with no manual declaration from business lines.
Classifies each service against the DORA taxonomy (critical ICT services, support, OTT electronic communications, market data) and applies the right level of risk analysis.
Distinguishes excluded services (POTS/PSTN analogue telephony) from included services (VoIP, Teams softphone, SIP trunk) based on the technical signature of the traffic, not on vendor declarations.
Alerts instantly via Teams or Slack as soon as a new ICT service appears without article 28(3) registration, with a 5-minute target delay.
Generates a pre-filled DORA register of information in the ESAs Implementing Technical Standards format, exportable as CSV or via API directly into the CSSF reporting flow.
Produces a timestamped PDF report, cryptographically sealed, opposable to the CSSF during an inspection, demonstrating the completeness of your article 8 mapping.

Available as a complement to a Luxgap DPO or CISO mandate or as a standalone SaaS brick depending on your perimeter. Request a tailored quote and our teams will prepare a demonstration on your real perimeter, with a free 48-hour scan revealing the exact number of active ICT services in your entity, before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 35

They trust us

Before we chat