I need to bring my Luxembourg organisation into compliance with recital 41 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

The classic trapRecital 41 creates a qualification puzzle: the same legal entity can be excluded from DORA under Articles 2 and 3 of MiFID II (for example a tied agent, an own-account dealer, an energy market maker), while still being fully subject to DORA if it also qualifies as a central securities depository, a UCITS/AIF, or an insurance/reinsurance undertaking. In such cases, the CSSF sanctions groups that applied a blanket exclusion at group level without checking eligibility entity by entity, activity by activity. The trap: believing that a single MiFID exemption ticks the DORA exclusion box for the entire perimeter.The entity-by-entity qualification testTo apply recital 41 correctly, a two-step reasoning is required for each legal entity in the group:Step 1: is the entity covered by MiFID II Articles 2 or 3 (exemptions and optional national regime)? If yes, it is in principle outside DORA scope.Step 2: does this same entity also qualify as a central securities depository (CSDR), a collective investment undertaking (UCITS or AIFM), or an insurance/reinsurance undertaking (Solvency II)? If yes, the MiFID exclusion does not apply and DORA fully applies.Document the qualification for each LEI in the group, with the legal basis of the exclusion or inclusion, dated and signed by the compliance officer.Reassess upon each change of the activity program approved by the CSSF, and at least once a year.Keep the evidence opposable to the CSSF in case of a thematic DORA control, which always starts by verifying the declared perimeter.How Luxgap automates this riskOur Luxgap DORA Scope Qualifier eliminates the risk of wrongful self-exclusion by automatically mapping each LEI of your group against MiFID II, CSDR, UCITS, AIFM and Solvency II regimes, and computing DORA eligibility entity by entity. The tool continuously queries the ESMA register, the CSSF register, the EIOPA register and your corporate data (LEI, authorisations, activity program from Odoo or Sage) to detect any combination that triggers DORA inclusion despite an apparent MiFID exclusion.Maps each legal entity of the group by cross-referencing LEI, CSSF authorisations and ESMA/EIOPA registers to identify cumulative qualifications.Automatically detects MiFID 2/3 plus CSDR, UCITS, AIFM or Solvency II overlaps that void the DORA exclusion.Generates a dated and signed DORA eligibility matrix, opposable to the CSSF during a perimeter review.Alerts on Teams or by email as soon as a new authorisation, merger or statutory change shifts the qualification of an entity.Produces a timestamped PDF report that demonstrates the entity-by-entity legal reasoning, with the cited legal basis.Reassesses the perimeter on every official register update, without manual intervention.Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on the size of your group. Request a tailored quote and our teams will run a demonstration on your actual group structure, with a free 48-hou...

Recital 41 DORA — Recital 41

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 41

Digital Operational Resilience Act · UE 2022/2554

(41)

Similarly, in order to align this Regulation to the scope of Directive 2014/65/EU of the European Parliament and of the Council (18), it is also appropriate to exclude from the scope of this Regulation natural and legal persons referred in Articles 2 and 3 of that Directive which are allowed to provide investment services without having to obtain an authorisation under Directive 2014/65/EU. However, Article 2 of Directive 2014/65/EU also excludes from the scope of that Directive entities which qualify as financial entities for the purposes of this Regulation such as, central securities depositories, collective investment undertakings or insurance and reinsurance undertakings. The exclusion from the scope of this Regulation of the persons and entities referred to in Articles 2 and 3 of that Directive should not encompass those central securities depositories, collective investment undertakings or insurance and reinsurance undertakings.

Luxembourg specificity

loi luxembourgeoise du 1er aout 2024 portant mise en oeuvre du reglement DORA et loi du 30 mai 2018 relative aux marches d'instruments financiers

In Luxembourg, the CSSF is the DORA competent authority for nearly all in-scope financial entities, and the CAA for insurance and reinsurance undertakings. The law of 1 August 2024 implementing DORA explicitly designates the supervisory authorities and confirms that the MiFID II Articles 2 and 3 exclusions must be read together with the law of 30 May 2018 on markets in financial instruments, which transposes MiFID II into Luxembourg law.

Luxgap practice: for each entity in the group, cross-check the CSSF register status (and CAA for insurance) with the exclusions listed in Article 2 of the law of 30 May 2018, and document the outcome in a dedicated memo signed by the authorised manager before declaring any DORA non-applicability.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 41 creates a qualification puzzle: the same legal entity can be excluded from DORA under Articles 2 and 3 of MiFID II (for example a tied agent, an own-account dealer, an energy market maker), while still being fully subject to DORA if it also qualifies as a central securities depository, a UCITS/AIF, or an insurance/reinsurance undertaking. In such cases, the CSSF sanctions groups that applied a blanket exclusion at group level without checking eligibility entity by entity, activity by activity. The trap: believing that a single MiFID exemption ticks the DORA exclusion box for the entire perimeter.

The entity-by-entity qualification test

To apply recital 41 correctly, a two-step reasoning is required for each legal entity in the group:

Step 1: is the entity covered by MiFID II Articles 2 or 3 (exemptions and optional national regime)? If yes, it is in principle outside DORA scope.
Step 2: does this same entity also qualify as a central securities depository (CSDR), a collective investment undertaking (UCITS or AIFM), or an insurance/reinsurance undertaking (Solvency II)? If yes, the MiFID exclusion does not apply and DORA fully applies.
Document the qualification for each LEI in the group, with the legal basis of the exclusion or inclusion, dated and signed by the compliance officer.
Reassess upon each change of the activity program approved by the CSSF, and at least once a year.
Keep the evidence opposable to the CSSF in case of a thematic DORA control, which always starts by verifying the declared perimeter.

How Luxgap automates this risk

Our Luxgap DORA Scope Qualifier eliminates the risk of wrongful self-exclusion by automatically mapping each LEI of your group against MiFID II, CSDR, UCITS, AIFM and Solvency II regimes, and computing DORA eligibility entity by entity. The tool continuously queries the ESMA register, the CSSF register, the EIOPA register and your corporate data (LEI, authorisations, activity program from Odoo or Sage) to detect any combination that triggers DORA inclusion despite an apparent MiFID exclusion.

Maps each legal entity of the group by cross-referencing LEI, CSSF authorisations and ESMA/EIOPA registers to identify cumulative qualifications.
Automatically detects MiFID 2/3 plus CSDR, UCITS, AIFM or Solvency II overlaps that void the DORA exclusion.
Generates a dated and signed DORA eligibility matrix, opposable to the CSSF during a perimeter review.
Alerts on Teams or by email as soon as a new authorisation, merger or statutory change shifts the qualification of an entity.
Produces a timestamped PDF report that demonstrates the entity-by-entity legal reasoning, with the cited legal basis.
Reassesses the perimeter on every official register update, without manual intervention.

Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on the size of your group. Request a tailored quote and our teams will run a demonstration on your actual group structure, with a free 48-hour blank audit to map your DORA exposure before any commitment.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 41

They trust us

Before we chat