I need to bring my Luxembourg organisation into compliance with recital 5 of DORA (UE 2022/2554). What are the concrete requirements, the sanctions, and how can Luxgap support me?

Recital 5 DORA — Recital 5

EU frameworkGDPR NIS 2DORAAI Act Whistleblowing

CSSF circularsCSSF 22/806 CSSF 25/883 CSSF 25/880 CSSF 25/881 CSSF 25/882 CSSF 20/750 CSSF 12/552 CSSF 11/504 (repealed)CSSF 24/847

Recital 5

Digital Operational Resilience Act · UE 2022/2554

(5)

Despite Union and national targeted policy and legislative initiatives, ICT risk continues to pose a challenge to the operational resilience, performance and stability of the Union financial system. The reforms that followed the 2008 financial crisis primarily strengthened the financial resilience of the Union financial sector and aimed to safeguard the competitiveness and stability of the Union from economic, prudential and market conduct perspectives. Although ICT security and digital resilience are part of operational risk, they have been less in the focus of the post-financial crisis regulatory agenda and have developed in only some areas of the Union’s financial services policy and regulatory landscape, or in only a few Member States.

Luxembourg specificity

circulaire CSSF 20/750 du 14 decembre 2020 relative aux exigences en matiere de gouvernance et de gestion des risques en matiere de TIC et de securite

In Luxembourg, the CSSF anticipated DORA through CSSF circular 20/750 (requirements on ICT and security risk governance and management), which transposed the EBA Guidelines on ICT and Security Risk Management. CSSF-supervised entities (banks, PFS, fund managers, payment institutions, EMIs) already compliant with 20/750 have a solid foundation, but the CSSF clearly indicated in its 2024 communications that DORA goes further: ICT third-party provider register in the ESAs format, TLPT for significant entities, and major incident notification within 4 hours using the harmonised template.

Luxgap practice: start your DORA gap assessment explicitly from your documented 20/750 compliance, and identify the 6 to 8 DORA-specific workstreams (third-party ICT register, TLPT, harmonised notification, advanced resilience testing) that constitute the real delta to fund.

Luxgap guidance · DPO & CISO

How to comply

The classic trap

Recital 5 acknowledges a heavy truth: for 15 years, the European financial sector strengthened its financial resilience (Basel III, MREL, EBA stress tests) but neglected its digital resilience. The CSSF now sanctions entities that still treat ICT risk as a sub-chapter of operational risk, handled by two people in IT, without board oversight and without a map of the digital dependency chain. DORA reverses this logic: digital operational resilience becomes a standalone pillar, on par with credit or liquidity risk.

What this recital concretely changes in your DORA project

ICT risk leaves the 'operational risk' paragraph of your ICAAP/ORSA: it must have its own governance, its own budget, its own board reporting.
Compliance is no longer measured by 'we have a firewall and an EDR': it is measured by the ability to demonstrate end-to-end operational resilience (detection, response, recovery, continuity).
Entities that ticked the boxes of CSSF circular 20/750 (ICT governance, cloud outsourcing) have a foundation, but DORA goes further: advanced resilience tests (TLPT), third-party ICT provider register, harmonised major incident management.
The CSSF expects a documented trajectory: where you stood before DORA, where you stand today, where you will be in 12 months on each of the 5 pillars (governance, ICT risk management, incidents, testing, third parties).

The 'DORA maturity' test the CSSF expects

Through this recital, the legislator implicitly asks you to demonstrate that you have closed the historical blind spot. Concretely: a formal gap assessment between your pre-DORA framework (typically based on CSSF 20/750 + EBA Guidelines on ICT and Security Risk Management) and DORA requirements, with a dated and budgeted remediation plan, approved by the board. Without this document, in case of a major incident or CSSF inspection, you cannot demonstrate due diligence.

How Luxgap automates this risk

Our Luxgap DORA Maturity Compass turns the DORA gap assessment into a continuous and defensible exercise, rather than a one-off 80,000 EUR consulting mission redone every year. The tool connects to your existing sources (ServiceNow GRC, Archer, Microsoft Purview, Azure Sentinel, your SharePoint policies, your vendor contracts in Ivalua or Coupa) and computes in real time your DORA maturity score across the 5 pillars, mapped onto the 64 articles and the RTS/ITS published by the ESAs.

Automatically scans your internal policies (ISMS policy, business continuity plan, outsourcing charter) and detects clauses missing against DORA requirements and the RTS.
Maps your pre-DORA framework (CSSF 20/750, EBA GL, NIST CSF) and pinpoints the delta to close, without starting from a blank page.
Generates a remediation plan prioritised by regulatory criticality and implementation effort, with quarterly milestones ready to present to the board.
Produces a timestamped, cryptographically signed maturity dossier, defensible to the CSSF during on-site inspections or thematic ICT reviews.
Alerts the CISO and the DPO whenever a new regulatory technical standard (RTS) is published by the ESAs and impacts one of your existing controls.

Available as a complement to a Luxgap CISO mandate or as a standalone SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your current framework, with a free 48h white audit to measure your real exposure before any engagement.

Need help?

Our team (lawyers + cyber engineers + developers) supports you. Free quote within 48h.

Recital 5

They trust us

Before we chat