The classic trap
Recital 5 acknowledges a heavy truth: for 15 years, the European financial sector strengthened its financial resilience (Basel III, MREL, EBA stress tests) but neglected its digital resilience. The CSSF now sanctions entities that still treat ICT risk as a sub-chapter of operational risk, handled by two people in IT, without board oversight and without a map of the digital dependency chain. DORA reverses this logic: digital operational resilience becomes a standalone pillar, on par with credit or liquidity risk.
What this recital concretely changes in your DORA project
- ICT risk leaves the 'operational risk' paragraph of your ICAAP/ORSA: it must have its own governance, its own budget, its own board reporting.
- Compliance is no longer measured by 'we have a firewall and an EDR': it is measured by the ability to demonstrate end-to-end operational resilience (detection, response, recovery, continuity).
- Entities that ticked the boxes of CSSF circular 20/750 (ICT governance, cloud outsourcing) have a foundation, but DORA goes further: advanced resilience tests (TLPT), third-party ICT provider register, harmonised major incident management.
- The CSSF expects a documented trajectory: where you stood before DORA, where you stand today, where you will be in 12 months on each of the 5 pillars (governance, ICT risk management, incidents, testing, third parties).
The 'DORA maturity' test the CSSF expects
Through this recital, the legislator implicitly asks you to demonstrate that you have closed the historical blind spot. Concretely: a formal gap assessment between your pre-DORA framework (typically based on CSSF 20/750 + EBA Guidelines on ICT and Security Risk Management) and DORA requirements, with a dated and budgeted remediation plan, approved by the board. Without this document, in case of a major incident or CSSF inspection, you cannot demonstrate due diligence.
How Luxgap automates this risk
Our Luxgap DORA Maturity Compass turns the DORA gap assessment into a continuous and defensible exercise, rather than a one-off 80,000 EUR consulting mission redone every year. The tool connects to your existing sources (ServiceNow GRC, Archer, Microsoft Purview, Azure Sentinel, your SharePoint policies, your vendor contracts in Ivalua or Coupa) and computes in real time your DORA maturity score across the 5 pillars, mapped onto the 64 articles and the RTS/ITS published by the ESAs.
- Automatically scans your internal policies (ISMS policy, business continuity plan, outsourcing charter) and detects clauses missing against DORA requirements and the RTS.
- Maps your pre-DORA framework (CSSF 20/750, EBA GL, NIST CSF) and pinpoints the delta to close, without starting from a blank page.
- Generates a remediation plan prioritised by regulatory criticality and implementation effort, with quarterly milestones ready to present to the board.
- Produces a timestamped, cryptographically signed maturity dossier, defensible to the CSSF during on-site inspections or thematic ICT reviews.
- Alerts the CISO and the DPO whenever a new regulatory technical standard (RTS) is published by the ESAs and impacts one of your existing controls.
Available as a complement to a Luxgap CISO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your current framework, with a free 48h white audit to measure your real exposure before any engagement.