I need to bring my Luxembourg organisation into compliance with recital 48 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 48 DORA — Recital 48

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 48

Digital Operational Resilience Act · UE 2022/2554

(48)

To keep pace with an evolving cyber threat landscape, financial entities should maintain updated ICT systems that are reliable and capable, not only for guaranteeing the processing of data required for their services, but also for ensuring sufficient technological resilience to allow them to deal adequately with additional processing needs due to stressed market conditions or other adverse situations.

Luxembourg specificity

CSSF Circular 24/847 on ICT risk management and notification of major ICT-related incidents

In Luxembourg, the CSSF published Circular 24/847 in 2024 on ICT risk management and incident notification, replacing former circulars 20/750 and 22/806 to align with DORA. It clarifies expectations on capacity and resilience testing for Luxembourg-incorporated entities (banks, PFS, EMIs, IFMs).

Luxgap practice: for AIFM/UCITS funds domiciled in Luxembourg, we calibrate the Resilience Forecaster on historical NAV strike and redemption peaks observed on the market, to produce a capacity evidence directly aligned with CSSF 24/847 expectations.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 48 informs the interpretation of DORA Article 7 on the reliability and capacity of ICT systems. The CSSF already sanctions financial entities whose systems degrade during market stress episodes (volatility spikes, massive NAV strikes, redemption runs on AIFM/UCITS funds). The trap: capacity sized for average traffic, not for adverse scenarios, and silent obsolescence of critical ICT components (unsupported OS, unpatched libraries, end-of-life appliances).

What this recital imposes in practice on Articles 7 and 8

Capacity sized to absorb a peak load under stressed conditions (extreme volatility, flash crash, money market fund run), not just nominal load.
Up-to-date ICT inventory with versions, end-of-support dates, critical dependencies (Article 8).
Formalised patch management and hardware renewal policy, with execution evidence opposable to the CSSF.
Load and technology stress tests linked to financial stress scenarios (consistency with ICAAP, ILAAP, ORSA depending on the entity).
Failover capability to the secondary site without service degradation during market tension windows.

How Luxgap automates this risk

Our Luxgap ICT Resilience Forecaster turns the vague requirement of sufficient capacity under adverse conditions into quantified evidence opposable to the CSSF. The tool continuously correlates your infrastructure metrics (Azure Monitor, AWS CloudWatch, vSphere, Datadog, Dynatrace) with market stress indicators (VIX volatility, Bloomberg volumes, subscription/redemption flows from Olympic or Multifonds) to predict 90 days ahead when your ICT capacity will saturate under stress.

Automatically detects obsolete or end-of-support ICT components (OS, middleware, network appliances, libraries) across the connected estate, without manual inventory.
Monthly simulates an adverse scenario (5x peak, degraded network latency, datacenter loss) on your critical workloads and calculates the gap between actual and required Article 7 capacity.
Correlates historical market stress windows with observed ICT consumption to produce a stress coefficient specific to your activity (private bank, AIFM, PSF, EMI).
Generates the capacity and technology renewal plan required by the RTS, with forecast budget and replacement schedule.
Produces a quarterly timestamped report, cryptographically signed, opposable during a CSSF inspection or ECB SREP audit.

Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real infrastructure, with a free 48-hour blank audit to measure your resilience capacity before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 48

They trust us

Before we chat